From patchwork Tue Sep 16 15:00:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugues KAMBA MPIANA X-Patchwork-Id: 70361 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E00BCAC598 for ; Tue, 16 Sep 2025 15:00:26 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.580.1758034819587568261 for ; Tue, 16 Sep 2025 08:00:19 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: hugues.kambampiana@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 011AE1595; Tue, 16 Sep 2025 08:00:11 -0700 (PDT) Received: from LXKV206JHX.arm.com (unknown [10.57.80.132]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 933863F694; Tue, 16 Sep 2025 08:00:18 -0700 (PDT) From: Hugues KAMBA MPIANA To: meta-arm@lists.yoctoproject.org Cc: Hugues KAMBA MPIANA Subject: [PATCH 1/4] arm/trusted-services:corstone1000: Pass Corstone-1000 target type Date: Tue, 16 Sep 2025 16:00:10 +0100 Message-ID: <20250916150013.30666-2-hugues.kambampiana@arm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250916150013.30666-1-hugues.kambampiana@arm.com> References: <20250916150013.30666-1-hugues.kambampiana@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Sep 2025 15:00:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6711 Trusted Services requires knowledge of the Corstone-1000 platform type to select the correct set of FWU image UUIDs at compile time. This change introduces a CORSTONE_1000_TYPE variable in both BitBake and CMake code to differentiate between Corstone-1000 platform types. Its value is determined by the selected Corstone-1000 target machine configuration file: * `CORSTONE_1000_TYPE_CORTEX_A35_FVP` * `CORSTONE_1000_TYPE_CORTEX_A35_MPS3` Signed-off-by: Hugues KAMBA MPIANA --- .../conf/machine/corstone1000-fvp.conf | 2 +- .../conf/machine/corstone1000-mps3.conf | 6 +- ...e1000-Add-PLATFORM_IS_FVP-toggle-for.patch | 77 ------------------- ...e1000-Add-CORSTONE_1000_TYPE-variabl.patch | 72 +++++++++++++++++ .../trusted-services/ts-arm-platforms.inc | 6 +- 5 files changed, 80 insertions(+), 83 deletions(-) delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Platform-Corstone1000-Add-PLATFORM_IS_FVP-toggle-for.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch diff --git a/meta-arm-bsp/conf/machine/corstone1000-fvp.conf b/meta-arm-bsp/conf/machine/corstone1000-fvp.conf index 632bd028..b897931c 100644 --- a/meta-arm-bsp/conf/machine/corstone1000-fvp.conf +++ b/meta-arm-bsp/conf/machine/corstone1000-fvp.conf @@ -7,7 +7,7 @@ TFA_TARGET_PLATFORM = "fvp" TFM_PLATFORM_IS_FVP = "TRUE" -TS_PLATFORM = "arm/corstone1000-fvp" +CORSTONE_1000_TYPE = "CORSTONE_1000_TYPE_CORTEX_A35_FVP" # testimage config TEST_TARGET = "OEFVPTarget" diff --git a/meta-arm-bsp/conf/machine/corstone1000-mps3.conf b/meta-arm-bsp/conf/machine/corstone1000-mps3.conf index cefe184b..2b5aed4e 100644 --- a/meta-arm-bsp/conf/machine/corstone1000-mps3.conf +++ b/meta-arm-bsp/conf/machine/corstone1000-mps3.conf @@ -6,9 +6,7 @@ require conf/machine/include/corstone1000.inc TFA_TARGET_PLATFORM = "fpga" -PLATFORM_IS_FVP = "FALSE" - -TS_PLATFORM = "arm/corstone1000-mps3" - # Unlike the FVP, MPS3 supports CoreSight MACHINE_FEATURES += "coresight" + +CORSTONE_1000_TYPE = "CORSTONE_1000_TYPE_CORTEX_A35_MPS3" diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Platform-Corstone1000-Add-PLATFORM_IS_FVP-toggle-for.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Platform-Corstone1000-Add-PLATFORM_IS_FVP-toggle-for.patch deleted file mode 100644 index b4c027cc..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Platform-Corstone1000-Add-PLATFORM_IS_FVP-toggle-for.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 00cbde17d3e38de385a6f0897cdd6d9bfe8250c7 Mon Sep 17 00:00:00 2001 -From: Ali Can Ozaslan -Date: Thu, 27 Feb 2025 14:06:07 +0000 -Subject: [PATCH 03/10] Platform: Corstone1000: Add PLATFORM_IS_FVP toggle for - FVP/FPGA builds - -Introduces PLATFORM_IS_FVP to differentiate between FVP and FPGA builds. -Adds platform-specific CMake files for corstone1000-fvp and corstone1000-mps3, -and updates platform.cmake to use this toggle. - -Upstream-Status: Pending -Signed-off-by: Ali Can Ozaslan -Signed-off-by: Harsimran Singh Tungal ---- - .../providers/arm/corstone1000-fvp/platform.cmake | 11 +++++++++++ - .../providers/arm/corstone1000-mps3/platform.cmake | 11 +++++++++++ - platform/providers/arm/corstone1000/platform.cmake | 3 ++- - 3 files changed, 24 insertions(+), 1 deletion(-) - create mode 100644 platform/providers/arm/corstone1000-fvp/platform.cmake - create mode 100644 platform/providers/arm/corstone1000-mps3/platform.cmake - -diff --git a/platform/providers/arm/corstone1000-fvp/platform.cmake b/platform/providers/arm/corstone1000-fvp/platform.cmake -new file mode 100644 -index 00000000..9a281e7a ---- /dev/null -+++ b/platform/providers/arm/corstone1000-fvp/platform.cmake -@@ -0,0 +1,11 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+# Platform definition for the Corstone-1000-MPS3 platform. -+#------------------------------------------------------------------------------- -+ -+set(PLATFORM_IS_FVP 1 CACHE BOOL "Whether to enable FVP or FPGA build of the platform.") -+ -+include(${TS_PLATFORM_ROOT}/arm/corstone1000/platform.cmake) -diff --git a/platform/providers/arm/corstone1000-mps3/platform.cmake b/platform/providers/arm/corstone1000-mps3/platform.cmake -new file mode 100644 -index 00000000..ec92d1e5 ---- /dev/null -+++ b/platform/providers/arm/corstone1000-mps3/platform.cmake -@@ -0,0 +1,11 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+# Platform definition for the Corstone-1000-FVP platform. -+#------------------------------------------------------------------------------- -+ -+set(PLATFORM_IS_FVP 0 CACHE BOOL "Whether to enable FVP or FPGA build of the platform.") -+ -+include(${TS_PLATFORM_ROOT}/arm/corstone1000/platform.cmake) -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 04c8138f..60bc208b 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -1,5 +1,5 @@ - #------------------------------------------------------------------------------- --# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. -+# Copyright (c) 2021-2025, Arm Limited and Contributors. All rights reserved. - # - # SPDX-License-Identifier: BSD-3-Clause - # -@@ -17,6 +17,7 @@ target_compile_definitions(${TGT} PRIVATE - PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} - COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} - MBEDTLS_ECP_DP_SECP521R1_ENABLED -+ PLATFORM_IS_FVP=${PLATFORM_IS_FVP} - ) - - get_property(_platform_driver_dependencies TARGET ${TGT} --- -2.34.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch new file mode 100644 index 00000000..8b387694 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch @@ -0,0 +1,72 @@ +From a644191e6f184e39fbe60a8fd79bf34a9a88eb17 Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Thu, 11 Sep 2025 14:25:04 +0100 +Subject: [PATCH] platform: corstone1000: Add CORSTONE_1000_TYPE variable for + platform selection + +This change introduces a CORSTONE_1000_TYPE variable in both CMake +and C code to differentiate between Corstone-1000 platform types: +* `CORSTONE_1000_TYPE_CORTEX_A35_FVP` +* `CORSTONE_1000_TYPE_CORTEX_A35_MPS3` + +The default platform type (`CORSTONE_1000_TYPE_CORTEX_A35_FVP`) is +set in CMake and can be overridden via the `-DCORSTONE_1000_TYPE` +option at configure time. + +This variable will be used to select the correct FWU image UUIDs at +compile time, as the UUIDs differ depending on the target platform. + +Upstream-Status: Backport [2cd4db9828f244de77e402ad31c52d9c4ba3c600] +Signed-off-by: Hugues KAMBA MPIANA +Signed-off-by: Ali Can Ozaslan +Signed-off-by: Harsimran Singh Tungal +--- + .../providers/arm/corstone1000/platform.cmake | 21 ++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index d39b7903..478a394d 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -1,11 +1,29 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2021-2025, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # + # Platform definition for the Corstone-1000 platform. + #------------------------------------------------------------------------------- + ++# Important: The order and index of values must match C code expectations ++set(_corstone_1000_valid_types ++ CORSTONE_1000_TYPE_CORTEX_A35_FVP ++ CORSTONE_1000_TYPE_CORTEX_A35_MPS3 ++) ++set(CORSTONE_1000_TYPE "CORSTONE_1000_TYPE_CORTEX_A35_FVP" CACHE STRING ++ "Corstone-1000 platform type. Valid values are: ${_corstone_1000_valid_types}" ++) ++set_property(CACHE CORSTONE_1000_TYPE PROPERTY STRINGS ${_corstone_1000_valid_types}) ++list(FIND _corstone_1000_valid_types "${CORSTONE_1000_TYPE}" CORSTONE_1000_TYPE_INT) ++if(CORSTONE_1000_TYPE_INT EQUAL -1) ++ message(FATAL_ERROR ++ "Invalid CORSTONE_1000_TYPE: ${CORSTONE_1000_TYPE}. ++ Valid values are: ${_corstone_1000_valid_types}" ++ ) ++endif() ++unset(_corstone_1000_valid_types) ++ + set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") + set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") + set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") +@@ -14,6 +32,7 @@ target_compile_definitions(${TGT} PRIVATE + SMM_VARIABLE_INDEX_STORAGE_UID=0x787 + PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=0x2080 + COMMS_MHU_MSG_SIZE=0x3500 ++ CORSTONE_1000_TYPE=${CORSTONE_1000_TYPE_INT} + ) + + get_property(_platform_driver_dependencies TARGET ${TGT} +-- +2.43.0 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index a17beeee..4d2dfa31 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -10,7 +10,7 @@ SRC_URI:append:corstone1000 = " \ file://0006-Align-PSA-Crypto-with-TF-Mv2.1.patch \ file://0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch \ file://0008-se-proxy-protobuf-change.patch \ - file://0009-Platform-Corstone1000-Add-PLATFORM_IS_FVP-toggle-for.patch \ + file://0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch \ file://0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch \ file://0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch \ file://0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch \ @@ -27,3 +27,7 @@ CFLAGS:append:corstone1000 = " -Wno-int-conversion -Wno-implicit-function-declar COMPATIBLE_MACHINE:fvp-base = "fvp-base" TS_PLATFORM:fvp-base = "arm/fvp/fvp_base_revc-2xaemv8a" + +EXTRA_OECMAKE:append:corstone1000 = " \ + -DCORSTONE_1000_TYPE=${CORSTONE_1000_TYPE} \ +" From patchwork Tue Sep 16 15:00:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Hugues KAMBA MPIANA X-Patchwork-Id: 70363 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE3C8CAC59F for ; Tue, 16 Sep 2025 15:00:26 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.635.1758034820766319486 for ; Tue, 16 Sep 2025 08:00:21 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: hugues.kambampiana@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1B989FEC; Tue, 16 Sep 2025 08:00:12 -0700 (PDT) Received: from LXKV206JHX.arm.com (unknown [10.57.80.132]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8D6433F694; Tue, 16 Sep 2025 08:00:19 -0700 (PDT) From: Hugues KAMBA MPIANA To: meta-arm@lists.yoctoproject.org Cc: Hugues KAMBA MPIANA Subject: [PATCH 2/4] arm/trusted-services: Upgrade Trusted Services to v1.2.0 Date: Tue, 16 Sep 2025 16:00:11 +0100 Message-ID: <20250916150013.30666-3-hugues.kambampiana@arm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250916150013.30666-1-hugues.kambampiana@arm.com> References: <20250916150013.30666-1-hugues.kambampiana@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Sep 2025 15:00:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6712 * Update Trusted Services from v1.1.0 to v1.2.0 * De-list obsolete Corstone-1000 TS patches * Rework remaining Corstone-1000 TS patches for correct application * Mark remaining Corstone-1000 TS patches as Backport in upstream status * Reorder Corstone-1000 TS patches to match upstream application order Signed-off-by: Hugues KAMBA MPIANA Signed‑off‑by: Bence Balogh --- .../0003-Remove-Werror-flag.patch | 65 +- ...M_HAS_ATTEST_PK-define-from-IAT-test.patch | 17 +- ...-store-UEFI-variable-index-in-chunks.patch | 26 +- ...007-fwu-proxy-refactor-image-mapping.patch | 856 ++++++++++++++++++ ...e1000-Add-CORSTONE_1000_TYPE-variabl.patch | 30 +- ...C-psa_fwu_install-return-value-check.patch | 75 +- .../0014-fwu-Add-EFI-ESRT-v1-support.patch | 228 +++-- ...orstone1000-Add-event-provider-proxy.patch | 283 +++--- ...ne1000-Define-GUID-for-each-payloads.patch | 290 ++++-- ...he-com-buffer-address-and-page-count.patch | 31 +- ...ting-warnings-as-errors-configurable.patch | 194 ++++ ...crypto-fix-AEAD-block-cypher-support.patch | 73 ++ .../trusted-services/ts-arm-platforms.inc | 26 +- .../trusted-services/trusted-services-src.inc | 3 +- 14 files changed, 1786 insertions(+), 411 deletions(-) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch index cbb9780c..7d4f17e6 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch @@ -1,22 +1,24 @@ -From 5456cf76e45fc4b06d67b31b53f66a96833c67d9 Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing +From c50ad182f8375eacb315b894229eec7f4cad1b30 Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA Date: Fri, 18 Oct 2024 11:50:32 +0000 -Subject: [PATCH 08/12] Remove Werror flag +Subject: [PATCH 6/7] smm-gateway/config: Remove `Werror` compile option -Remove Werror flag due to compilation issues for TS in yocto +Adding `-Werror` to CMakeLists.txt unintended when +originally committed. -Upstream-Status: Inappropriate [Only for meta-arm] +Remove the compilation option from `default-opteesp` and +`default-sp` configuration CMakeLists.txt files. + +Upstream-Status: Backport [c50ad182f8375eacb315b894229eec7f4cad1b30] Signed-off-by: Harsimran Singh Tungal +Signed-off-by: Hugues KAMBA MPIANA --- deployments/smm-gateway/config/default-opteesp/CMakeLists.txt | 1 - deployments/smm-gateway/config/default-sp/CMakeLists.txt | 1 - - environments/arm-linux/default_toolchain_file.cmake | 2 +- - environments/linux-pc/default_toolchain_file.cmake | 2 +- - environments/opteesp/default_toolchain_file.cmake | 2 +- - 5 files changed, 3 insertions(+), 5 deletions(-) + 2 files changed, 2 deletions(-) diff --git a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt -index 94ff14c2c..42385635d 100644 +index 94ff14c2..42385635 100644 --- a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +++ b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt @@ -92,7 +92,6 @@ target_compile_definitions(smm-gateway PRIVATE @@ -28,7 +30,7 @@ index 94ff14c2c..42385635d 100644 endif() diff --git a/deployments/smm-gateway/config/default-sp/CMakeLists.txt b/deployments/smm-gateway/config/default-sp/CMakeLists.txt -index e92f16384..578027163 100644 +index e92f1638..57802716 100644 --- a/deployments/smm-gateway/config/default-sp/CMakeLists.txt +++ b/deployments/smm-gateway/config/default-sp/CMakeLists.txt @@ -89,7 +89,6 @@ target_compile_definitions(smm-gateway PRIVATE @@ -39,45 +41,6 @@ index e92f16384..578027163 100644 ) endif() -diff --git a/environments/arm-linux/default_toolchain_file.cmake b/environments/arm-linux/default_toolchain_file.cmake -index 7e565dd20..ad11248b3 100644 ---- a/environments/arm-linux/default_toolchain_file.cmake -+++ b/environments/arm-linux/default_toolchain_file.cmake -@@ -19,7 +19,7 @@ set(CMAKE_SYSTEM_PROCESSOR arm) - - set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") - set(TS_MANDATORY_AARCH_FLAGS "-mstrict-align -march=armv8-a+crc -DARM64=1" CACHE STRING "Compiler flags configuring architecture specific ") --set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") -+set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") - set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.") - - # branch-protection enables bti/pac while compile force-bti tells the linker to -diff --git a/environments/linux-pc/default_toolchain_file.cmake b/environments/linux-pc/default_toolchain_file.cmake -index 2215d6b5d..74d8b6806 100644 ---- a/environments/linux-pc/default_toolchain_file.cmake -+++ b/environments/linux-pc/default_toolchain_file.cmake -@@ -11,7 +11,7 @@ include_guard(GLOBAL) - - set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") - set(TS_MANDATORY_AARCH_FLAGS "" CACHE STRING "Compiler flags configuring architecture specific ") --set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") -+set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") - set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.") - - # Set flags affecting all build types -diff --git a/environments/opteesp/default_toolchain_file.cmake b/environments/opteesp/default_toolchain_file.cmake -index b150b8528..297b5f886 100644 ---- a/environments/opteesp/default_toolchain_file.cmake -+++ b/environments/opteesp/default_toolchain_file.cmake -@@ -21,7 +21,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE True) - - set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") - set(TS_MANDATORY_AARCH_FLAGS "-fpic -mstrict-align -march=armv8-a+crc" CACHE STRING "Compiler flags configuring architecture specific ") --set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") -+set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") - set(TS_MANDATORY_LINKER_FLAGS "-pie -Wl,--as-needed -Wl,--sort-section=alignment -zmax-page-size=4096" - CACHE STRING "Linker flags needed for correct builds.") - -- -2.25.1 +2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch index e95fe821..44f2bdd0 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch @@ -1,10 +1,23 @@ From cee283641224d2a6660cde0ad83e59bdddbc2f37 Mon Sep 17 00:00:00 2001 From: Bence Balogh Date: Tue, 14 May 2024 15:58:15 +0200 -Subject: [PATCH 09/12] Remove PLATFORM_HAS_ATTEST_PK define from IAT test +Subject: [PATCH] Remove PLATFORM_HAS_ATTEST_PK define from IAT test +The `PLATFORM_HAS_ATTEST_PK` flag is removed to allow +`PLATFORM_OVERRIDE_ATTEST_PK` to be defined in `psa-api-test`. + +When `PLATFORM_HAS_ATTEST_PK` is set, `psa-api-test` does not define +`PLATFORM_OVERRIDE_ATTEST_PK`, preventing use of the hard-coded +attestation public key. +This is required for the Corstone-1000, which is a Cortex-A+Cortex-M +platform, as it cannot retrieve the attestation PK from the Secure +Enclave. + +Cortex-A based IAT deployments are unaffected, as they can retrieve +the attestation public key directly. + +Upstream-Status: Inappropriate [The change is only necessary for A+M platforms] Signed-off-by: Bence Balogh -Upstream-Status: Inappropriate [Should remove the flag only for CS1000] --- deployments/psa-api-test/initial_attestation/iat-api-test.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch index 176900b5..e076759b 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch @@ -1,7 +1,7 @@ -From a986e751f6d4ef34bdc3847cfb02e6f24fbb0702 Mon Sep 17 00:00:00 2001 -From: Bence Balogh -Date: Mon, 25 Nov 2024 22:13:15 +0100 -Subject: [PATCH 01/12] Revert "Load and store UEFI variable index in chunks" +From ce6571f7d1054ff003a29e7f977588f1c8e96cc8 Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Fri, 12 Sep 2025 15:41:10 +0100 +Subject: [PATCH] Revert "Load and store UEFI variable index in chunks" This reverts commit a0a08571084238af2a24d4e6e580308f86ab59a2. The PSA IPC backend for the Protected Storage doesn't support the optional @@ -13,11 +13,13 @@ APIs are not optional in the SMM-Gateway. Upstream-Status: Inappropriate [To be redesigned] Signed-off-by: Bence Balogh Signed-off-by: Harsimran Singh Tungal +Signed-off-by: Hugues KAMBA MPIANA --- .../backend/test/variable_store_tests.cpp | 100 +-------------- .../backend/uefi_variable_store.c | 115 ++++-------------- deployments/smm-gateway/common/smm_gateway.c | 4 + - 3 files changed, 28 insertions(+), 191 deletions(-) + .../providers/arm/corstone1000/platform.cmake | 1 + + 4 files changed, 29 insertions(+), 191 deletions(-) diff --git a/components/service/uefi/smm_variable/backend/test/variable_store_tests.cpp b/components/service/uefi/smm_variable/backend/test/variable_store_tests.cpp index 0f962f20..7c7435fb 100644 @@ -318,6 +320,18 @@ index 3ab45ccf..eaa86137 100644 /** * The SP heap must be large enough for storing the UEFI variable index, the RPC shared memory and * ~16kB of miscellaneous data. +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index 91158e93..7da375f0 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -52,6 +52,7 @@ target_compile_definitions(${TGT} PRIVATE + MBEDTLS_ECP_DP_SECP521R1_ENABLED + CORSTONE_1000_TYPE=${CORSTONE_1000_TYPE_INT} + TFM_FWU_MAX_DIGEST_SIZE=${TFM_FWU_MAX_DIGEST_SIZE} ++ SMM_VARIABLE_INDEX_STORAGE_UID=0x787 + ) + + get_property(_platform_driver_dependencies TARGET ${TGT} -- -2.34.1 +2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch new file mode 100644 index 00000000..591ff58f --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch @@ -0,0 +1,856 @@ +From ca3870a123f3449407d460dcbc6bc0ba0d135e1e Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Tue, 26 Aug 2025 15:01:44 +0200 +Subject: [PATCH 7/7] fwu-proxy: refactor image mapping + +Stop defining the size of the image mapping and the number of mappings +at different places (C code vs cmake). Move the number of images to the +image mapping structure of the FWU proxy. This simplifies the API and +makes consistent configuration easier. + +Upstream-Status: Backport [ca3870a123f3449407d460dcbc6bc0ba0d135e1e] +Signed-off-by: Gyorgy Szing +Signed-off-by: Hugues KAMBA MPIANA +--- + .../psa_fwu_m/agent/psa_fwu_m_update_agent.c | 24 +- + .../psa_fwu_m/agent/psa_fwu_m_update_agent.h | 14 +- + .../test/test_psa_fwu_m_update_agent.cpp | 214 +++++++++--------- + .../infra/corstone1000/corstone1000_config.c | 71 +++--- + .../infra/corstone1000/corstone1000_config.h | 2 + + deployments/se-proxy/infra/rse/spf_fwu.c | 27 +-- + .../infra/stub/service_proxy_factory.c | 2 +- + .../providers/arm/corstone1000/platform.cmake | 16 +- + 8 files changed, 191 insertions(+), 179 deletions(-) + +diff --git a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c +index 26972fc0..650a6d04 100644 +--- a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c ++++ b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c +@@ -646,7 +646,7 @@ static const struct update_agent_interface interface = { + }; + + struct update_agent *psa_fwu_m_update_agent_init( +- const struct psa_fwu_m_image_mapping image_mapping[], size_t image_count, ++ const struct psa_fwu_m_image_mapping *image_mapping, + uint32_t max_payload_size) + { + psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR; +@@ -658,8 +658,11 @@ struct update_agent *psa_fwu_m_update_agent_init( + uint8_t esrt_image_uuid[OSF_UUID_OCTET_LEN]; + size_t i = 0; + ++ if (!image_mapping) ++ return NULL; ++ + /* Allocate +1 image for the Image directory */ +- images = (struct psa_fwu_m_image *)calloc(image_count + 1, sizeof(*images)); ++ images = (struct psa_fwu_m_image *)calloc(image_mapping->count + 1, sizeof(*images)); + if (!images) + return NULL; /* LCOV_EXCL_LINE */ + +@@ -680,8 +683,8 @@ struct update_agent *psa_fwu_m_update_agent_init( + /* LCOV_EXCL_STOP */ + } + +- for (i = 0; i < image_count; i++) { +- psa_status = psa_fwu_query(image_mapping[i].component, &info); ++ for (i = 0; i < image_mapping->count; i++) { ++ psa_status = psa_fwu_query(image_mapping->images[i].component, &info); + if (psa_status != PSA_SUCCESS) { + free(images); + free(context); +@@ -689,8 +692,8 @@ struct update_agent *psa_fwu_m_update_agent_init( + return NULL; + } + +- images[i].uuid = image_mapping[i].uuid; +- images[i].component = image_mapping[i].component; ++ images[i].uuid = image_mapping->images[i].uuid; ++ images[i].component = image_mapping->images[i].component; + if (info.state == PSA_FWU_TRIAL) { + images[i].selected_for_staging = true; + state = trial; +@@ -711,14 +714,15 @@ struct update_agent *psa_fwu_m_update_agent_init( + } + + /* Insert Image directory as the last image */ +- uuid_octets_from_canonical(&images[image_count].uuid, FWU_DIRECTORY_CANONICAL_UUID); +- images[image_count].component = 0; +- images[image_count].selected_for_staging = false; ++ uuid_octets_from_canonical(&images[image_mapping->count].uuid, ++ FWU_DIRECTORY_CANONICAL_UUID); ++ images[image_mapping->count].component = 0; ++ images[image_mapping->count].selected_for_staging = false; + images[i].read = image_directory_read; + images[i].write = NULL; /* Cannot write Images directory */ + + context->images = images; +- context->image_count = image_count + 1; ++ context->image_count = image_mapping->count + 1; + context->max_payload_size = max_payload_size; + context->state = state; + +diff --git a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h +index 6354b8ba..ca5f9949 100644 +--- a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h ++++ b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2024, Arm Limited. All rights reserved. ++ * Copyright (c) 2024-2025, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * +@@ -17,21 +17,23 @@ extern "C" { + #endif + + struct psa_fwu_m_image_mapping { +- struct uuid_octets uuid; +- psa_fwu_component_t component; ++ size_t count; ++ struct { ++ struct uuid_octets uuid; ++ psa_fwu_component_t component; ++ } images[]; + }; + + /** + * \brief Initialise the PSA FWU M update_agent + * + * \param[in] image_mapping Component mapping array +- * \param[in] image_count Component mapping count + * \param[in] max_payload_size The maximum number of bytes that a payload can contain + * + * \return The update_agent + */ + struct update_agent *psa_fwu_m_update_agent_init( +- const struct psa_fwu_m_image_mapping image_mapping[], size_t image_count, ++ const struct psa_fwu_m_image_mapping *image_mapping, + uint32_t max_payload_size); + + /** +@@ -42,7 +44,7 @@ struct update_agent *psa_fwu_m_update_agent_init( + void psa_fwu_m_update_agent_deinit(struct update_agent *update_agent); + + /* This should be defined by the platform */ +-extern struct psa_fwu_m_image_mapping img_mapping[]; ++extern struct psa_fwu_m_image_mapping img_mapping; + + #ifdef __cplusplus + } +diff --git a/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp b/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp +index 3805d182..919ce897 100644 +--- a/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp ++++ b/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp +@@ -12,12 +12,37 @@ + #include + #include + ++static const psa_fwu_m_image_mapping * get_image_mapping() ++{ ++ static const psa_fwu_m_image_mapping image_mapping = { ++ .count = 2, ++ .images = { ++ { ++ .uuid = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f ++ }, ++ .component = 3 ++ }, ++ { ++ .uuid = { ++ 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, ++ 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 ++ }, ++ .component = 2 ++ }, ++ } ++ }; ++ return &image_mapping; ++} ++ + TEST_GROUP(psa_fwu_m_update_agent) { + TEST_SETUP() { + psa_fwu_component_info_t info = {0}; +- expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_SUCCESS); +- expect_mock_psa_fwu_query(mapping[1].component, &info, PSA_SUCCESS); +- agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); ++ mapping = get_image_mapping(); ++ expect_mock_psa_fwu_query(mapping->images[0].component, &info, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[1].component, &info, PSA_SUCCESS); ++ agent = psa_fwu_m_update_agent_init(mapping, 4096); + handle = 0; + progress = 0; + total_work = 0; +@@ -31,14 +56,14 @@ TEST_GROUP(psa_fwu_m_update_agent) { + } + + void begin_staging() { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_SUCCESS); +- expect_mock_psa_fwu_start(mapping[1].component, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[1].component, NULL, 0, PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_begin_staging(agent, 0, 0, NULL)); + } + + void end_staging() { +- expect_mock_psa_fwu_finish(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_finish(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[1].component, PSA_SUCCESS); + + expect_mock_psa_fwu_install(PSA_SUCCESS); + +@@ -47,11 +72,11 @@ TEST_GROUP(psa_fwu_m_update_agent) { + + void open() { + LONGS_EQUAL(FWU_STATUS_SUCCESS, +- update_agent_open(agent, &mapping[0].uuid, FWU_OP_TYPE_WRITE, &handle)); ++ update_agent_open(agent, &mapping->images[0].uuid, FWU_OP_TYPE_WRITE, &handle)); + } + + void write(const uint8_t *data, size_t data_len) { +- expect_mock_psa_fwu_write(mapping[0].component, 0, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_write(mapping->images[0].component, 0, NULL, 0, PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_write_stream(agent, handle, data, data_len)); + } +@@ -61,27 +86,12 @@ TEST_GROUP(psa_fwu_m_update_agent) { + uint32_t progress; + uint32_t total_work; + +- const psa_fwu_m_image_mapping mapping[2] = { +- { +- .uuid = { +- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, +- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f +- }, +- .component = 3 +- }, +- { +- .uuid = { +- 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, +- 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 +- }, +- .component = 2 +- }, +- }; +- + const struct uuid_octets image_directory_uuid = { + 0xde, 0xee, 0x58, 0xd9, 0x51, 0x47, 0x4a, 0xd3, + 0xa2, 0x90, 0x77, 0x66, 0x6e, 0x23, 0x41, 0xa5 + }; ++ ++ const psa_fwu_m_image_mapping *mapping; + }; + + TEST(psa_fwu_m_update_agent, discover) +@@ -98,16 +108,16 @@ TEST(psa_fwu_m_update_agent, discover) + + TEST(psa_fwu_m_update_agent, begin_staging_start_fail) + { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_clean(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[1].component, PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_UNKNOWN, update_agent_begin_staging(agent, 0, 0, NULL)); + } + + TEST(psa_fwu_m_update_agent, begin_staging_start_and_clean_fail) + { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_ERROR_GENERIC_ERROR); + LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_begin_staging(agent, 0, 0, NULL)); + } + +@@ -115,42 +125,42 @@ TEST(psa_fwu_m_update_agent, begin_staging_partial_invalid_uuid) + { + const struct uuid_octets update_guid = { 0 }; + +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_clean(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[1].component, PSA_SUCCESS); + + LONGS_EQUAL(FWU_STATUS_UNKNOWN, update_agent_begin_staging(agent, 0, 1, &update_guid)); + } + + TEST(psa_fwu_m_update_agent, begin_staging_partial_image_directory_uuid) + { +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_clean(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[1].component, PSA_SUCCESS); + + LONGS_EQUAL(FWU_STATUS_UNKNOWN, update_agent_begin_staging(agent, 0, 1, &image_directory_uuid)); + } + + TEST(psa_fwu_m_update_agent, begin_staging_partial_start_fail) + { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_clean(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[1].component, PSA_SUCCESS); + +- LONGS_EQUAL(FWU_STATUS_UNKNOWN, update_agent_begin_staging(agent, 0, 1, &mapping[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_UNKNOWN, update_agent_begin_staging(agent, 0, 1, &mapping->images[0].uuid)); + } + + TEST(psa_fwu_m_update_agent, begin_staging_partial_start_and_clean_fail) + { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_ERROR_GENERIC_ERROR); + +- LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_begin_staging(agent, 0, 1, &mapping[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_begin_staging(agent, 0, 1, &mapping->images[0].uuid)); + } + + TEST(psa_fwu_m_update_agent, begin_staging_partial) + { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_SUCCESS); + +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_begin_staging(agent, 0, 1, &mapping[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_begin_staging(agent, 0, 1, &mapping->images[0].uuid)); + } + + TEST(psa_fwu_m_update_agent, begin_staging) +@@ -162,11 +172,11 @@ TEST(psa_fwu_m_update_agent, begin_staging_repeated_cancel_fail) + { + begin_staging(); + +- expect_mock_psa_fwu_cancel(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_cancel(mapping[1].component, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_cancel(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[1].component, PSA_ERROR_GENERIC_ERROR); + +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_clean(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[1].component, PSA_SUCCESS); + + LONGS_EQUAL(FWU_STATUS_UNKNOWN, update_agent_begin_staging(agent, 0, 0, NULL)); + } +@@ -175,10 +185,10 @@ TEST(psa_fwu_m_update_agent, begin_staging_repeated_clean_fail) + { + begin_staging(); + +- expect_mock_psa_fwu_cancel(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_cancel(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[1].component, PSA_SUCCESS); + +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_ERROR_GENERIC_ERROR); + + LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_begin_staging(agent, 0, 0, NULL)); + } +@@ -187,14 +197,14 @@ TEST(psa_fwu_m_update_agent, begin_staging_repeated) + { + begin_staging(); + +- expect_mock_psa_fwu_cancel(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_cancel(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[1].component, PSA_SUCCESS); + +- expect_mock_psa_fwu_clean(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_clean(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_clean(mapping->images[1].component, PSA_SUCCESS); + +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_SUCCESS); +- expect_mock_psa_fwu_start(mapping[1].component, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[1].component, NULL, 0, PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_begin_staging(agent, 0, 0, NULL)); + } + +@@ -214,8 +224,8 @@ TEST(psa_fwu_m_update_agent, end_staging_finish_fail) + { + begin_staging(); + +- expect_mock_psa_fwu_finish(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_finish(mapping[1].component, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_finish(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[1].component, PSA_ERROR_GENERIC_ERROR); + + LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_end_staging(agent)); + } +@@ -224,8 +234,8 @@ TEST(psa_fwu_m_update_agent, end_staging_install_fail) + { + begin_staging(); + +- expect_mock_psa_fwu_finish(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_finish(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[1].component, PSA_SUCCESS); + + expect_mock_psa_fwu_install(PSA_ERROR_GENERIC_ERROR); + +@@ -254,17 +264,17 @@ TEST(psa_fwu_m_update_agent, end_staging_all_accepted_accept_fail) + begin_staging(); + + LONGS_EQUAL(FWU_STATUS_SUCCESS, +- update_agent_open(agent, &mapping[0].uuid, FWU_OP_TYPE_WRITE, &handle)); ++ update_agent_open(agent, &mapping->images[0].uuid, FWU_OP_TYPE_WRITE, &handle)); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_commit(agent, handle, true, 0, &progress, &total_work)); + + LONGS_EQUAL(FWU_STATUS_SUCCESS, +- update_agent_open(agent, &mapping[1].uuid, FWU_OP_TYPE_WRITE, &handle)); ++ update_agent_open(agent, &mapping->images[1].uuid, FWU_OP_TYPE_WRITE, &handle)); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_commit(agent, handle, true, 0, &progress, &total_work)); + +- expect_mock_psa_fwu_finish(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_finish(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_finish(mapping->images[1].component, PSA_SUCCESS); + + expect_mock_psa_fwu_install(PSA_SUCCESS); + +@@ -278,12 +288,12 @@ TEST(psa_fwu_m_update_agent, end_staging_all_accepted) + begin_staging(); + + LONGS_EQUAL(FWU_STATUS_SUCCESS, +- update_agent_open(agent, &mapping[0].uuid, FWU_OP_TYPE_WRITE, &handle)); ++ update_agent_open(agent, &mapping->images[0].uuid, FWU_OP_TYPE_WRITE, &handle)); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_commit(agent, handle, true, 0, &progress, &total_work)); + + LONGS_EQUAL(FWU_STATUS_SUCCESS, +- update_agent_open(agent, &mapping[1].uuid, FWU_OP_TYPE_WRITE, &handle)); ++ update_agent_open(agent, &mapping->images[1].uuid, FWU_OP_TYPE_WRITE, &handle)); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_commit(agent, handle, true, 0, &progress, &total_work)); + +@@ -303,7 +313,7 @@ TEST(psa_fwu_m_update_agent, cancel_staging_cancel_fail) + { + begin_staging(); + +- expect_mock_psa_fwu_cancel(mapping[0].component, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_cancel(mapping->images[0].component, PSA_ERROR_GENERIC_ERROR); + + LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_cancel_staging(agent)); + } +@@ -312,15 +322,15 @@ TEST(psa_fwu_m_update_agent, cancel_staging) + { + begin_staging(); + +- expect_mock_psa_fwu_cancel(mapping[0].component, PSA_SUCCESS); +- expect_mock_psa_fwu_cancel(mapping[1].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[0].component, PSA_SUCCESS); ++ expect_mock_psa_fwu_cancel(mapping->images[1].component, PSA_SUCCESS); + + LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_cancel_staging(agent)); + } + + TEST(psa_fwu_m_update_agent, open_for_write_not_staging) + { +- LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_open(agent, &mapping[0].uuid, ++ LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_open(agent, &mapping->images[0].uuid, + FWU_OP_TYPE_WRITE, &handle)); + } + +@@ -345,12 +355,12 @@ TEST(psa_fwu_m_update_agent, open_for_write_image_directory) + + TEST(psa_fwu_m_update_agent, open_for_write_partial_not_staging) + { +- expect_mock_psa_fwu_start(mapping[0].component, NULL, 0, PSA_SUCCESS); ++ expect_mock_psa_fwu_start(mapping->images[0].component, NULL, 0, PSA_SUCCESS); + +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_begin_staging(agent, 0, 1, &mapping[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_begin_staging(agent, 0, 1, &mapping->images[0].uuid)); + + LONGS_EQUAL(FWU_STATUS_DENIED, +- update_agent_open(agent, &mapping[1].uuid, FWU_OP_TYPE_WRITE, &handle)); ++ update_agent_open(agent, &mapping->images[1].uuid, FWU_OP_TYPE_WRITE, &handle)); + } + + TEST(psa_fwu_m_update_agent, open_for_read) +@@ -358,7 +368,7 @@ TEST(psa_fwu_m_update_agent, open_for_read) + begin_staging(); + + LONGS_EQUAL(FWU_STATUS_NOT_AVAILABLE, +- update_agent_open(agent, &mapping[0].uuid, FWU_OP_TYPE_READ, &handle)); ++ update_agent_open(agent, &mapping->images[0].uuid, FWU_OP_TYPE_READ, &handle)); + } + + TEST(psa_fwu_m_update_agent, open) +@@ -374,7 +384,7 @@ TEST(psa_fwu_m_update_agent, open_too_many) + while (1) { + int result = FWU_STATUS_DENIED; + +- result = update_agent_open(agent, &mapping[0].uuid, FWU_OP_TYPE_WRITE, &handle); ++ result = update_agent_open(agent, &mapping->images[0].uuid, FWU_OP_TYPE_WRITE, &handle); + if (result == FWU_STATUS_NOT_AVAILABLE) { + break; + } else { +@@ -410,7 +420,7 @@ TEST(psa_fwu_m_update_agent, write_stream_write_fail) + begin_staging(); + open(); + +- expect_mock_psa_fwu_write(mapping[0].component, 0, NULL, 0, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_write(mapping->images[0].component, 0, NULL, 0, PSA_ERROR_GENERIC_ERROR); + LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_write_stream(agent, handle, NULL, 0)); + } + +@@ -423,7 +433,7 @@ TEST(psa_fwu_m_update_agent, write_stream_overflow) + begin_staging(); + open(); + +- expect_mock_psa_fwu_write(mapping[0].component, 0, data, sizeof(data), PSA_SUCCESS); ++ expect_mock_psa_fwu_write(mapping->images[0].component, 0, data, sizeof(data), PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_write_stream(agent, handle, data, sizeof(data))); + +@@ -440,11 +450,11 @@ TEST(psa_fwu_m_update_agent, write_stream) + begin_staging(); + open(); + +- expect_mock_psa_fwu_write(mapping[0].component, 0, data, sizeof(data), PSA_SUCCESS); ++ expect_mock_psa_fwu_write(mapping->images[0].component, 0, data, sizeof(data), PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_write_stream(agent, handle, data, sizeof(data))); + +- expect_mock_psa_fwu_write(mapping[0].component, sizeof(data), data, sizeof(data), PSA_SUCCESS); ++ expect_mock_psa_fwu_write(mapping->images[0].component, sizeof(data), data, sizeof(data), PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_write_stream(agent, handle, data, sizeof(data))); + } +@@ -492,7 +502,7 @@ TEST(psa_fwu_m_update_agent, read_image_directory_query_fail) + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_open(agent, &image_directory_uuid, FWU_OP_TYPE_READ, &handle)); + +- expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_ERROR_GENERIC_ERROR); ++ expect_mock_psa_fwu_query(mapping->images[0].component, &info, PSA_ERROR_GENERIC_ERROR); + LONGS_EQUAL(FWU_STATUS_DENIED, + update_agent_read_stream(agent, handle, buffer, sizeof(buffer), &read_len, + &total_len)); +@@ -522,8 +532,8 @@ TEST(psa_fwu_m_update_agent, read_image_directory) + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_open(agent, &image_directory_uuid, FWU_OP_TYPE_READ, &handle)); + +- expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); +- expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[0].component, &info0, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[1].component, &info1, PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, + update_agent_read_stream(agent, handle, buffer, sizeof(buffer), &read_len, + &total_len)); +@@ -538,8 +548,8 @@ TEST(psa_fwu_m_update_agent, read_image_directory) + UNSIGNED_LONGS_EQUAL(0, directory->correct_boot); + UNSIGNED_LONGS_EQUAL(0x28, directory->img_info_size); + +- MEMCMP_EQUAL(&mapping[0].uuid, directory->img_info_entry[0].img_type_uuid, +- sizeof(mapping[0].uuid)); ++ MEMCMP_EQUAL(&mapping->images[0].uuid, directory->img_info_entry[0].img_type_uuid, ++ sizeof(mapping->images[0].uuid)); + UNSIGNED_LONGS_EQUAL(1, directory->img_info_entry[0].client_permissions); + UNSIGNED_LONGS_EQUAL(info0.max_size, directory->img_info_entry[0].img_max_size); + UNSIGNED_LONGS_EQUAL(0, directory->img_info_entry[0].lowest_accepted_version); +@@ -547,8 +557,8 @@ TEST(psa_fwu_m_update_agent, read_image_directory) + UNSIGNED_LONGS_EQUAL(0, directory->img_info_entry[0].accepted); + UNSIGNED_LONGS_EQUAL(0, directory->img_info_entry[0].reserved); + +- MEMCMP_EQUAL(&mapping[1].uuid, directory->img_info_entry[1].img_type_uuid, +- sizeof(mapping[1].uuid)); ++ MEMCMP_EQUAL(&mapping->images[1].uuid, directory->img_info_entry[1].img_type_uuid, ++ sizeof(mapping->images[1].uuid)); + UNSIGNED_LONGS_EQUAL(1, directory->img_info_entry[1].client_permissions); + UNSIGNED_LONGS_EQUAL(info1.max_size, directory->img_info_entry[1].img_max_size); + UNSIGNED_LONGS_EQUAL(0, directory->img_info_entry[1].lowest_accepted_version); +@@ -608,7 +618,7 @@ TEST(psa_fwu_m_update_agent, accept_image_one) + { + begin_staging(); + end_staging(); +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping->images[0].uuid)); + } + + TEST(psa_fwu_m_update_agent, accept_image_accept_fail) +@@ -617,8 +627,8 @@ TEST(psa_fwu_m_update_agent, accept_image_accept_fail) + end_staging(); + + expect_mock_psa_fwu_accept(PSA_ERROR_GENERIC_ERROR); +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[0].uuid)); +- LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_accept_image(agent, &mapping[1].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping->images[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_accept_image(agent, &mapping->images[1].uuid)); + } + + TEST(psa_fwu_m_update_agent, accept_image) +@@ -627,8 +637,8 @@ TEST(psa_fwu_m_update_agent, accept_image) + end_staging(); + + expect_mock_psa_fwu_accept(PSA_SUCCESS); +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[0].uuid)); +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[1].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping->images[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping->images[1].uuid)); + } + + +@@ -675,8 +685,8 @@ TEST(psa_fwu_m_update_agent, select_previous) + TEST(psa_fwu_m_update_agent, boot_in_trial_mode_query_fail) { + psa_fwu_component_info_t info = {0}; + +- expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_ERROR_GENERIC_ERROR); +- POINTERS_EQUAL(NULL, psa_fwu_m_update_agent_init(mapping, 2, 4096)); ++ expect_mock_psa_fwu_query(mapping->images[0].component, &info, PSA_ERROR_GENERIC_ERROR); ++ POINTERS_EQUAL(NULL, psa_fwu_m_update_agent_init(mapping, 4096)); + } + + TEST(psa_fwu_m_update_agent, boot_in_trial_mode_select_previous) { +@@ -685,10 +695,10 @@ TEST(psa_fwu_m_update_agent, boot_in_trial_mode_select_previous) { + + info1.state = PSA_FWU_TRIAL; + +- expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); +- expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[0].component, &info0, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[1].component, &info1, PSA_SUCCESS); + +- update_agent *agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); ++ update_agent *agent = psa_fwu_m_update_agent_init(mapping, 4096); + + expect_mock_psa_fwu_reject(0, PSA_SUCCESS); + LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_select_previous(agent)); +@@ -702,14 +712,14 @@ TEST(psa_fwu_m_update_agent, boot_in_trial_mode_accept) { + + info1.state = PSA_FWU_TRIAL; + +- expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); +- expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[0].component, &info0, PSA_SUCCESS); ++ expect_mock_psa_fwu_query(mapping->images[1].component, &info1, PSA_SUCCESS); + +- update_agent *agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); ++ update_agent *agent = psa_fwu_m_update_agent_init(mapping, 4096); + + expect_mock_psa_fwu_accept(PSA_SUCCESS); +- LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_accept_image(agent, &mapping[0].uuid)); +- LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[1].uuid)); ++ LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_accept_image(agent, &mapping->images[0].uuid)); ++ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping->images[1].uuid)); + + psa_fwu_m_update_agent_deinit(agent); + } +diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.c b/deployments/se-proxy/infra/corstone1000/corstone1000_config.c +index 0cc0dee9..7466120f 100644 +--- a/deployments/se-proxy/infra/corstone1000/corstone1000_config.c ++++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.c +@@ -14,43 +14,48 @@ + #error "CORSTONE_1000_TYPE is not defined." + #endif + +-struct psa_fwu_m_image_mapping img_mapping[IMAGE_MAPPING_ELEMENT_COUNT] = { ++struct psa_fwu_m_image_mapping img_mapping = { ++ .count = FWU_IMAGE_INDEX_COUNT, ++ .images = { + #if (CORSTONE_1000_TYPE == CORSTONE_1000_TYPE_CORTEX_A35_FVP) +- { +- .uuid = FWU_FVP_BL2_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_BL2 +- }, +- { +- .uuid = FWU_FVP_TFM_S_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S +- }, +- { +- .uuid = FWU_FVP_FIP_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_FIP +- }, +- { +- .uuid = FWU_FVP_INITRAMFS_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS +- }, ++ { ++ .uuid = {FWU_FVP_BL2_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_BL2 ++ }, ++ { ++ .uuid = {FWU_FVP_TFM_S_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S ++ }, ++ { ++ .uuid = {FWU_FVP_FIP_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_FIP ++ }, ++ { ++ .uuid = {FWU_FVP_INITRAMFS_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS ++ }, + #elif (CORSTONE_1000_TYPE == CORSTONE_1000_TYPE_CORTEX_A35_MPS3) +- { +- .uuid = FWU_MPS3_BL2_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_BL2 +- }, +- { +- .uuid = FWU_MPS3_TFM_S_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S +- }, +- { +- .uuid = FWU_MPS3_FIP_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_FIP +- }, +- { +- .uuid = FWU_MPS3_INITRAMFS_CAPSULE_UUID, +- .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS +- }, ++ { ++ .uuid = {FWU_MPS3_BL2_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_BL2 ++ }, ++ { ++ .uuid = {FWU_MPS3_TFM_S_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S ++ }, ++ { ++ .uuid = {FWU_MPS3_FIP_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_FIP ++ }, ++ { ++ .uuid = {FWU_MPS3_INITRAMFS_CAPSULE_UUID}, ++ .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS ++ }, + #else + #error "Unsupported CORSTONE_1000_TYPE value. Valid values are: 0 (Corstone-1000 with " \ + "Cortex-A35 FVP), 1 (Corstone-1000 with Cortex-A35 MPS3)" + #endif ++ /* Placeholder for ESRT entry; will be populated at runtime */ ++ {} /* ESRT image */ ++ } + }; +diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h +index 59662ee3..99b15c21 100644 +--- a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h ++++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h +@@ -51,6 +51,8 @@ enum fwu_image_index { + FWU_IMAGE_INDEX_CAPSULE_TFM_S, + FWU_IMAGE_INDEX_CAPSULE_FIP, + FWU_IMAGE_INDEX_CAPSULE_INITRAMFS, ++ ++ // The ESRT image index should always be the last one + FWU_IMAGE_INDEX_ESRT, + + FWU_IMAGE_INDEX_LAST = FWU_IMAGE_INDEX_ESRT, +diff --git a/deployments/se-proxy/infra/rse/spf_fwu.c b/deployments/se-proxy/infra/rse/spf_fwu.c +index 713d932d..714edfaf 100644 +--- a/deployments/se-proxy/infra/rse/spf_fwu.c ++++ b/deployments/se-proxy/infra/rse/spf_fwu.c +@@ -17,23 +17,9 @@ + #include "service/fwu/provider/fwu_provider.h" + #include "service/fwu/common/update_agent_interface.h" + #include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" +- + #include +-#include "corstone1000_config.h" +-#include "corstone1000_event_handling.h" +- +-#ifndef IMAGE_MAPPING_ELEMENT_COUNT +-#define IMAGE_MAPPING_ELEMENT_COUNT 0 +-#endif + +-#ifndef MAX_PAYLOAD_SIZE + #define MAX_PAYLOAD_SIZE 4096 +-#endif +- +-/* The index to access the ESRT image in the psa_fwu_m_image_mapping structure +- * collection. The ESRT image is always accessed at the end of the collection. +- */ +-#define IMAGE_MAPPING_ESRT_INDEX (IMAGE_MAPPING_ELEMENT_COUNT - 1) + + static void define_esrt_image_mapping(void); + +@@ -61,8 +47,7 @@ struct rpc_service_interface *fwu_proxy_create(void) + return NULL; + + define_esrt_image_mapping(); +- agent = psa_fwu_m_update_agent_init(img_mapping, IMAGE_MAPPING_ELEMENT_COUNT, +- MAX_PAYLOAD_SIZE); ++ agent = psa_fwu_m_update_agent_init(&img_mapping, MAX_PAYLOAD_SIZE); + + return fwu_provider_init(&fwu_provider, agent); + } +@@ -72,9 +57,15 @@ struct rpc_service_interface *fwu_proxy_create(void) + */ + static void define_esrt_image_mapping(void) + { +- uuid_octets_from_canonical(&img_mapping[IMAGE_MAPPING_ESRT_INDEX].uuid, ++ /* ++ * The index to access the ESRT image in the psa_fwu_m_image_mapping structure ++ * collection. The ESRT image is always accessed at the end of the collection. ++ */ ++ size_t esrt_index = img_mapping.count - 1; ++ ++ uuid_octets_from_canonical(&img_mapping.images[esrt_index].uuid, + EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); +- img_mapping[IMAGE_MAPPING_ESRT_INDEX].component = FWU_IMAGE_INDEX_ESRT; ++ img_mapping.images[esrt_index].component = img_mapping.count; + } + + ADD_PROXY_SERVICE_FACTORY(fwu_proxy_create, FWU_PROXY, SE_PROXY_INTERFACE_PRIO_FWU); +diff --git a/deployments/se-proxy/infra/stub/service_proxy_factory.c b/deployments/se-proxy/infra/stub/service_proxy_factory.c +index c6c715e5..078984e0 100644 +--- a/deployments/se-proxy/infra/stub/service_proxy_factory.c ++++ b/deployments/se-proxy/infra/stub/service_proxy_factory.c +@@ -89,7 +89,7 @@ struct rpc_service_interface *fwu_proxy_create(void) + static struct update_agent *agent; + static struct fwu_provider fwu_provider = { 0 }; + +- agent = psa_fwu_m_update_agent_init(NULL, 0, 4096); ++ agent = psa_fwu_m_update_agent_init(NULL, 4096); + + return fwu_provider_init(&fwu_provider, agent); + } +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index baddf0be..f5a9c48f 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -34,25 +34,23 @@ set(MM_COMM_BUFFER_PAGE_COUNT 0x1 CACHE STRING "MM Communication buffer page cou + + + # For ESRT v1 details : https://uefi.org/specs/UEFI/2.9_A/23_Firmware_Update_and_Reporting.html#efi-system-resource-table +-set(FWU_IMAGE_CAPSULE_COUNT 4 CACHE STRING "Maximum number of FWU Images in a capsule to be updated") +-set(ESRT_IMAGE_ENTRY_SIZE 40 CACHE STRING "Size of one ESRT v1 Image entry structure object") +-set(ESRT_REMAINING_FIELDS_SIZE 16 CACHE STRING "Size of remaining fields of ESRT v1 table structure") ++# `FWU_IMAGE_CAPSULE_COUNT` has to match the number of images declared in corstone_config.h. Note that this does not include the ESRT image. ++# Maximum number of FWU Images in a capsule to be updated ++set(FWU_IMAGE_CAPSULE_COUNT 4) ++# Size of one ESRT v1 Image entry structure object ++set(ESRT_IMAGE_ENTRY_SIZE 40) ++# Size of remaining fields of ESRT v1 table structure ++set(ESRT_REMAINING_FIELDS_SIZE 16) + math(EXPR TOTAL_ESRT_SIZE "${FWU_IMAGE_CAPSULE_COUNT} * ${ESRT_IMAGE_ENTRY_SIZE} + ${ESRT_REMAINING_FIELDS_SIZE}" OUTPUT_FORMAT DECIMAL) + + set(TFM_FWU_MAX_DIGEST_SIZE ${TOTAL_ESRT_SIZE} CACHE STRING "Maximum size of ESRT entries of all the images in a bank") + +-set(ESRT_IMAGE_COUNT 1 CACHE STRING "The immutable number of ESRT image") +-math(EXPR IMAGE_MAPPING_ELEMENT_COUNT "${FWU_IMAGE_CAPSULE_COUNT} + ${ESRT_IMAGE_COUNT}" OUTPUT_FORMAT DECIMAL) +- + target_compile_definitions(${TGT} PRIVATE + PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} + COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} + MBEDTLS_ECP_DP_SECP521R1_ENABLED + CORSTONE_1000_TYPE=${CORSTONE_1000_TYPE_INT} + TFM_FWU_MAX_DIGEST_SIZE=${TFM_FWU_MAX_DIGEST_SIZE} +- FWU_IMAGE_CAPSULE_COUNT=${FWU_IMAGE_CAPSULE_COUNT} +- IMAGE_MAPPING_ELEMENT_COUNT=${IMAGE_MAPPING_ELEMENT_COUNT} +- MAX_PAYLOAD_SIZE=4096 + ) + + get_property(_platform_driver_dependencies TARGET ${TGT} +-- +2.43.0 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch index 8b387694..47fab7a1 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch @@ -1,8 +1,8 @@ -From a644191e6f184e39fbe60a8fd79bf34a9a88eb17 Mon Sep 17 00:00:00 2001 +From 2cd4db9828f244de77e402ad31c52d9c4ba3c600 Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA -Date: Thu, 11 Sep 2025 14:25:04 +0100 -Subject: [PATCH] platform: corstone1000: Add CORSTONE_1000_TYPE variable for - platform selection +Date: Tue, 5 Aug 2025 14:05:49 +0100 +Subject: [PATCH 1/7] platform: corstone1000: Add CORSTONE_1000_TYPE variable + for platform selection This change introduces a CORSTONE_1000_TYPE variable in both CMake and C code to differentiate between Corstone-1000 platform types: @@ -21,20 +21,14 @@ Signed-off-by: Hugues KAMBA MPIANA Signed-off-by: Ali Can Ozaslan Signed-off-by: Harsimran Singh Tungal --- - .../providers/arm/corstone1000/platform.cmake | 21 ++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) + .../providers/arm/corstone1000/platform.cmake | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index d39b7903..478a394d 100644 +index 37c6accf..4b6b9675 100644 --- a/platform/providers/arm/corstone1000/platform.cmake +++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -1,11 +1,29 @@ - #------------------------------------------------------------------------------- --# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. -+# Copyright (c) 2021-2025, Arm Limited and Contributors. All rights reserved. - # - # SPDX-License-Identifier: BSD-3-Clause - # +@@ -6,6 +6,24 @@ # Platform definition for the Corstone-1000 platform. #------------------------------------------------------------------------------- @@ -59,10 +53,10 @@ index d39b7903..478a394d 100644 set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") -@@ -14,6 +32,7 @@ target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 - PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=0x2080 - COMMS_MHU_MSG_SIZE=0x3500 +@@ -19,6 +37,7 @@ target_compile_definitions(${TGT} PRIVATE + PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} + COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} + MBEDTLS_ECP_DP_SECP521R1_ENABLED + CORSTONE_1000_TYPE=${CORSTONE_1000_TYPE_INT} ) diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch index da948bd0..4ef78eb3 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch @@ -1,31 +1,74 @@ -From d43ec82f7e419e6f1e9f5bd002c324b788ee901f Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Thu, 6 Feb 2025 11:32:04 +0000 -Subject: [PATCH 4/8] Fix PSA FWU IPC psa_fwu_install() return value check +From 8b8eb4a2d512de06d3ee8a17dd9295cd38efd68d Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Tue, 5 Aug 2025 14:42:17 +0100 +Subject: [PATCH 4/7] fwu: Coerce PSA_SUCCESS_REBOOT and PSA_SUCCESS_RESTART to + PSA_SUCCESS -This change adds support to validate if the return type in psa_fwu_install() -is either PSA_SUCCESS or PSA_SUCCESS_REBOOT. Both the return values are expected. -Earlier, only PSA_SUCCESS is validated. +Map `PSA_SUCCESS_REBOOT` and `PSA_SUCCESS_RESTART` (returned by +FWU-M after a successful install) to plain `PSA_SUCCESS` in the FWU PSA +IPC client. +This is useful on A+M systems since FWU-A does not define equivalent +return codes, and avoids exposing non-zero success codes to FWU-A +clients. -Upstream-Status: Pending +Key changes: +- Update `psa_fwu_ipc.c` to coerce `PSA_SUCCESS_REBOOT` and + `PSA_SUCCESS_RESTART` to `PSA_SUCCESS` in `psa_fwu_install()``. +- Extend FWU documentation to describe the behavior. + +Note: When this option is enabled, the normal world must still arrange +a system reboot through its own mechanism. + +Upstream-Status: Backport [8b8eb4a2d512de06d3ee8a17dd9295cd38efd68d] Signed-off-by: Harsimran Singh Tungal +Signed-off-by: Hugues KAMBA MPIANA --- - .../service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + .../fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c | 6 +++++- + docs/services/fwu/psa-fwu-m.rst | 9 ++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c -index a47ae539..3947a809 100644 +index a47ae539..174b06f8 100644 --- a/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c +++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c -@@ -190,7 +190,7 @@ psa_status_t psa_fwu_install(void) +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2024-2025, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -190,6 +190,10 @@ psa_status_t psa_fwu_install(void) status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, TFM_FWU_INSTALL, in_vec, 0, NULL, 0); -- if (status != PSA_SUCCESS) -+ if (status != PSA_SUCCESS && status != PSA_SUCCESS_REBOOT) ++ ++ if ((status == PSA_SUCCESS_REBOOT) || (status == PSA_SUCCESS_RESTART)) ++ status = PSA_SUCCESS; ++ + if (status != PSA_SUCCESS) EMSG("failed to psa_call: %d", status); - return status; +diff --git a/docs/services/fwu/psa-fwu-m.rst b/docs/services/fwu/psa-fwu-m.rst +index 1358015f..c3217159 100644 +--- a/docs/services/fwu/psa-fwu-m.rst ++++ b/docs/services/fwu/psa-fwu-m.rst +@@ -76,9 +76,12 @@ agent switches to trial state, so the client can validate the new set of images + + On calling ``fwu_end_staging()`` the agent calls ``psa_fwu_finish()`` on each selected image, then calls + ``psa_fwu_install()``. If all images have been accepted (see ``fwu_commit()``) it also calls ``psa_fwu_accept()``. +-The implementation treats ``PSA_SUCCESS_REBOOT`` and ``PSA_SUCCESS_RESTART`` status values as error. In an A+M system the M +-class side shouldn't restart the system, so calling ``psa_fwu_request_reboot()`` does not fit the system. There's also no +-PSA FWU A return code for inidicating the restart request to the normal world. If the normal world has to restart the ++ ++Since FWU-M may return ``PSA_SUCCESS_REBOOT`` or ``PSA_SUCCESS_RESTART`` for A+M systems, the FWU PSA IPC client coerces ++these statuses to ``PSA_SUCCESS`` because FWU-A does not define an equivalent return code. ++ ++In an A+M system the M class side shouldn't restart the system, so calling ``psa_fwu_request_reboot()`` does not fit the system. ++There's also no PSA FWU A return code for inidicating the restart request to the normal world. If the normal world has to restart the + system after ending the staging phase, it has to do it in an implementation defined way. + + .. uml:: ../uml/psa_fwu_m_update_agent/fwu_end_staging.puml -- -2.25.1 +2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch index ce810a35..c10a88a8 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch @@ -1,45 +1,69 @@ -From 740359ba2a73f5ce0015c9023cc1aa69506f99bf Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Fri, 28 Feb 2025 21:12:25 +0000 -Subject: [PATCH 5/8] fwu: Add EFI ESRT v1 support +From d5ca8c5b73c3ff3bc5c137828932e440c6a7f187 Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Tue, 5 Aug 2025 15:05:33 +0100 +Subject: [PATCH 5/7] fwu: Add support for ESRT v1 in PSA FWU-M agent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit -Add EFI ESRT v1 support for PSA FWU M agent. -ESRT functionality is implemented using unique image dedicated -for ESRT data having its own UUID. In PSA FWU M agent's context, -this image has read only attributes. The ESRT data can be read -using image_read_directory by using ESRT image UUID handle. The -ESRT data is queried from Secure Enclave using psa_fwu_query() -and ESRT data can be read from psa_fwu_impl_info_t structure -object defined in psa_fwu_component_info_t. +This patch introduces support for ESRT v1, enabling the PSA Firmware +Update Management (FWU-M) agent to expose UEFI-compliant firmware +resource metadata via a dedicated image UUID. -This commit includes the following changes: -1. Declare EFI ESRT v1 data structures. -2. Modify image_directory_read() to include EFI ESRT data read support -3. Modify psa_fwu_m_update_agent_init to initialize ESRT image -attributes +Key changes: +- Declares ESRT v1 data structures (`efi_system_resource_entry` and + `efi_system_resource_table`) as specified by the UEFI 2.9 standard. +- Extends `image_directory_read()` to detect ESRT image reads and serve + the data stored in `candidate_digest` from `psa_fwu_query()`. +- Modifies `psa_fwu_m_update_agent_init()` to properly initialize the + ESRT image with read-only attributes and hook `image_directory_read()` + as its read handler. +- Defines `FWU_IMAGE_CAPSULE_COUNT`, `ESRT_IMAGE_ENTRY_SIZE`, and + `ESRT_REMAINING_FIELDS_SIZE` to represent the structure of the ESRT v1 + table. +- Calculates `TOTAL_ESRT_SIZE` based on capsule count and ESRT entry + sizes. +- Sets `TFM_FWU_MAX_DIGEST_SIZE` to `TOTAL_ESRT_SIZE` to ensure the PSA + FWU + agent allocates sufficient buffer space for ESRT data. +- Exposes these constants via `target_compile_definitions()` for use in + the FWU runtime. This platform configuration ensures correct ESRT + memory sizing and enables firmware metadata reporting according to UEFI + 2.9 specification. -The ESRT v1 details can be found here : -https://uefi.org/specs/UEFI/2.9_A/23_Firmware_Update_and_Reporting.html#efi-system-resource-table +ESRT data can now be queried by update clients using the ESRT image UUID +handle. This enables standardized firmware reporting and diagnostics +in accordance with UEFI specifications. -Upstream-Status: Pending +Specification reference: +UEFI 2.9 §23 - Firmware Update and Reporting: +https://uefi.org/specs/UEFI/2.9_A/23_Firmware_Update_and_Reporting.html + +Upstream-Status: Backport [d5ca8c5b73c3ff3bc5c137828932e440c6a7f187] +Signed-off-by: Bence Balogh Signed-off-by: Harsimran Singh Tungal +Signed-off-by: Hugues KAMBA MPIANA --- - .../psa_fwu_m/agent/psa_fwu_m_update_agent.c | 50 +++++++++++++++++-- - protocols/service/fwu/fwu_proto.h | 29 +++++++++-- - 2 files changed, 71 insertions(+), 8 deletions(-) + .../psa_fwu_m/agent/psa_fwu_m_update_agent.c | 57 +++++++++++++++++-- + deployments/se-proxy/infra/rse/spf_fwu.c | 23 ++++++++ + .../providers/arm/corstone1000/platform.cmake | 15 +++++ + protocols/service/fwu/fwu_proto.h | 29 ++++++++-- + 4 files changed, 116 insertions(+), 8 deletions(-) diff --git a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -index 48b86f6e..d0464bf5 100644 +index 48b86f6e..26972fc0 100644 --- a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c +++ b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -@@ -115,13 +115,22 @@ uint32_t image_version_to_uint(psa_fwu_image_version_t version) +@@ -115,13 +115,25 @@ uint32_t image_version_to_uint(psa_fwu_image_version_t version) return result; } +/* image_directory_read + * This function is used for two purposes: -+ * -> Send the details of firmware images to update client when read request is made for FWU_DIRECTORY_CANONICAL_UUID -+ * -> Send ESRT data to update client when read request is made for EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID ++ * -> Send the details of firmware images to update client when read request is ++ * made for FWU_DIRECTORY_CANONICAL_UUID ++ * -> Send ESRT data to update client when read request is ++ * made for EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID + */ int image_directory_read(struct psa_fwu_m_update_agent *agent, struct psa_fwu_m_image *image, uint8_t *buf, size_t buf_size, size_t *read_len, size_t *total_len) @@ -49,14 +73,15 @@ index 48b86f6e..d0464bf5 100644 struct fwu_image_directory *directory = NULL; - size_t image_count = agent->image_count - 1; /* Do not return Image directory */ + uint8_t esrt_image_uuid[OSF_UUID_OCTET_LEN]; -+ size_t image_count = agent->image_count - 1; /* Do not return Image directory -+ * If update client uses ESRT UUID for ESRT data, then ESRT image UUID -+ * is considered as a separate image included in this count -+ */ ++ /* Do not return Image directory ++ * If update client uses ESRT UUID for ESRT data, then ESRT image UUID ++ * is considered as a separate image included in this count ++ */ ++ size_t image_count = agent->image_count - 1; size_t image_info_size = 0; size_t i = 0; -@@ -136,12 +145,36 @@ int image_directory_read(struct psa_fwu_m_update_agent *agent, struct psa_fwu_m_ +@@ -136,12 +148,40 @@ int image_directory_read(struct psa_fwu_m_update_agent *agent, struct psa_fwu_m_ return FWU_STATUS_DENIED; /* LCOV_EXCL_LINE */ /* @@ -67,21 +92,25 @@ index 48b86f6e..d0464bf5 100644 if (*total_len > buf_size) return FWU_STATUS_SUCCESS; -+ /* Query ESRT data from Secure Enclave and Copy the ESRT entries from component_info.impl.candidate_digest -+ * to buf in case of ESRT image UUID. -+ * This is needed because Secure Enclave fills component_info.impl.candidate_digest with ESRT data -+ * which needs to be transferred to normal world buffer ++ /* Query ESRT data from Secure Enclave and Copy the ESRT entries ++ * from component_info.impl.candidate_digest to buf in case of ESRT image UUID. ++ * This is needed because Secure Enclave fills component_info.impl.candidate_digest ++ * with ESRT data which needs to be transferred to normal world buffer + */ -+ uuid_octets_from_canonical((struct uuid_octets *)&esrt_image_uuid, EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); ++ uuid_octets_from_canonical((struct uuid_octets *)&esrt_image_uuid, ++ EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); + if (!memcmp(&esrt_image_uuid, &image->uuid, sizeof(esrt_image_uuid))) { + /* Query ESRT data */ + psa_status = psa_fwu_query(image->component, &component_info); + if (psa_status != PSA_SUCCESS) + return psa_status_to_fwu_status(psa_status); + -+ struct efi_system_resource_table *esrt = (struct efi_system_resource_table *)component_info.impl.candidate_digest; -+ size_t esrt_size_recv = (esrt->fw_resource_count * sizeof(struct efi_system_resource_entry) ) + sizeof(struct efi_system_resource_table); -+ if(esrt_size_recv > TFM_FWU_MAX_DIGEST_SIZE) ++ struct efi_system_resource_table *esrt = ++ (struct efi_system_resource_table *)component_info.impl.candidate_digest; ++ size_t esrt_size_recv = (esrt->fw_resource_count * ++ sizeof(struct efi_system_resource_entry)) ++ + sizeof(struct efi_system_resource_table); ++ if (esrt_size_recv > TFM_FWU_MAX_DIGEST_SIZE) + return FWU_STATUS_OUT_OF_BOUNDS; + + /* Copy the ESRT entries to the buf */ @@ -94,7 +123,7 @@ index 48b86f6e..d0464bf5 100644 directory = (struct fwu_image_directory *)buf; directory->directory_version = FWU_IMAGE_DIRECTORY_VERSION; directory->img_info_offset = offsetof(struct fwu_image_directory, img_info_entry); -@@ -615,6 +648,7 @@ struct update_agent *psa_fwu_m_update_agent_init( +@@ -615,6 +655,7 @@ struct update_agent *psa_fwu_m_update_agent_init( struct psa_fwu_m_image *images = NULL; enum psa_fwu_m_state state = regular; struct update_agent *agent = NULL; @@ -102,27 +131,110 @@ index 48b86f6e..d0464bf5 100644 size_t i = 0; /* Allocate +1 image for the Image directory */ -@@ -657,8 +691,16 @@ struct update_agent *psa_fwu_m_update_agent_init( +@@ -657,8 +698,16 @@ struct update_agent *psa_fwu_m_update_agent_init( images[i].selected_for_staging = false; } - images[i].read = NULL; /* Cannot read images */ - images[i].write = image_write; -+ uuid_octets_from_canonical((struct uuid_octets *)&esrt_image_uuid, EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); ++ uuid_octets_from_canonical((struct uuid_octets *)&esrt_image_uuid, ++ EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); + if (!memcmp(&esrt_image_uuid, &images[i].uuid, sizeof(esrt_image_uuid))) { + images[i].read = image_directory_read; + images[i].write = NULL; + images[i].selected_for_staging = false; -+ } -+ else { ++ } else { + images[i].read = NULL; /* Cannot read images */ + images[i].write = image_write; + } } /* Insert Image directory as the last image */ +diff --git a/deployments/se-proxy/infra/rse/spf_fwu.c b/deployments/se-proxy/infra/rse/spf_fwu.c +index 90f200e1..713d932d 100644 +--- a/deployments/se-proxy/infra/rse/spf_fwu.c ++++ b/deployments/se-proxy/infra/rse/spf_fwu.c +@@ -18,6 +18,10 @@ + #include "service/fwu/common/update_agent_interface.h" + #include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" + ++#include ++#include "corstone1000_config.h" ++#include "corstone1000_event_handling.h" ++ + #ifndef IMAGE_MAPPING_ELEMENT_COUNT + #define IMAGE_MAPPING_ELEMENT_COUNT 0 + #endif +@@ -26,6 +30,13 @@ + #define MAX_PAYLOAD_SIZE 4096 + #endif + ++/* The index to access the ESRT image in the psa_fwu_m_image_mapping structure ++ * collection. The ESRT image is always accessed at the end of the collection. ++ */ ++#define IMAGE_MAPPING_ESRT_INDEX (IMAGE_MAPPING_ELEMENT_COUNT - 1) ++ ++static void define_esrt_image_mapping(void); ++ + struct rpc_service_interface *fwu_proxy_create(void) + { + rpc_status_t rpc_status = RPC_ERROR_INTERNAL; +@@ -48,10 +59,22 @@ struct rpc_service_interface *fwu_proxy_create(void) + + if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) + return NULL; ++ ++ define_esrt_image_mapping(); + agent = psa_fwu_m_update_agent_init(img_mapping, IMAGE_MAPPING_ELEMENT_COUNT, + MAX_PAYLOAD_SIZE); + + return fwu_provider_init(&fwu_provider, agent); + } + ++/* Every platform needs to define esrt image mapping, ++ * if ESRT image UUID is to be used to extract ESRT data ++ */ ++static void define_esrt_image_mapping(void) ++{ ++ uuid_octets_from_canonical(&img_mapping[IMAGE_MAPPING_ESRT_INDEX].uuid, ++ EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); ++ img_mapping[IMAGE_MAPPING_ESRT_INDEX].component = FWU_IMAGE_INDEX_ESRT; ++} ++ + ADD_PROXY_SERVICE_FACTORY(fwu_proxy_create, FWU_PROXY, SE_PROXY_INTERFACE_PRIO_FWU); +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index 4b6b9675..baddf0be 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -33,11 +33,26 @@ set(MM_COMM_BUFFER_ADDRESS "0x00000000 0x81FFF000" CACHE STRING "MM Communicatio + set(MM_COMM_BUFFER_PAGE_COUNT 0x1 CACHE STRING "MM Communication buffer page count") + + ++# For ESRT v1 details : https://uefi.org/specs/UEFI/2.9_A/23_Firmware_Update_and_Reporting.html#efi-system-resource-table ++set(FWU_IMAGE_CAPSULE_COUNT 4 CACHE STRING "Maximum number of FWU Images in a capsule to be updated") ++set(ESRT_IMAGE_ENTRY_SIZE 40 CACHE STRING "Size of one ESRT v1 Image entry structure object") ++set(ESRT_REMAINING_FIELDS_SIZE 16 CACHE STRING "Size of remaining fields of ESRT v1 table structure") ++math(EXPR TOTAL_ESRT_SIZE "${FWU_IMAGE_CAPSULE_COUNT} * ${ESRT_IMAGE_ENTRY_SIZE} + ${ESRT_REMAINING_FIELDS_SIZE}" OUTPUT_FORMAT DECIMAL) ++ ++set(TFM_FWU_MAX_DIGEST_SIZE ${TOTAL_ESRT_SIZE} CACHE STRING "Maximum size of ESRT entries of all the images in a bank") ++ ++set(ESRT_IMAGE_COUNT 1 CACHE STRING "The immutable number of ESRT image") ++math(EXPR IMAGE_MAPPING_ELEMENT_COUNT "${FWU_IMAGE_CAPSULE_COUNT} + ${ESRT_IMAGE_COUNT}" OUTPUT_FORMAT DECIMAL) ++ + target_compile_definitions(${TGT} PRIVATE + PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} + COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} + MBEDTLS_ECP_DP_SECP521R1_ENABLED + CORSTONE_1000_TYPE=${CORSTONE_1000_TYPE_INT} ++ TFM_FWU_MAX_DIGEST_SIZE=${TFM_FWU_MAX_DIGEST_SIZE} ++ FWU_IMAGE_CAPSULE_COUNT=${FWU_IMAGE_CAPSULE_COUNT} ++ IMAGE_MAPPING_ELEMENT_COUNT=${IMAGE_MAPPING_ELEMENT_COUNT} ++ MAX_PAYLOAD_SIZE=4096 + ) + + get_property(_platform_driver_dependencies TARGET ${TGT} diff --git a/protocols/service/fwu/fwu_proto.h b/protocols/service/fwu/fwu_proto.h -index 4bcacb1f..aa5d2561 100644 +index 4bcacb1f..85296e5b 100644 --- a/protocols/service/fwu/fwu_proto.h +++ b/protocols/service/fwu/fwu_proto.h @@ -1,5 +1,5 @@ @@ -139,10 +251,10 @@ index 4bcacb1f..aa5d2561 100644 -#define FWU_UPDATE_AGENT_CANONICAL_UUID "6823a838-1b06-470e-9774-0cce8bfb53fd" -#define FWU_DIRECTORY_CANONICAL_UUID "deee58d9-5147-4ad3-a290-77666e2341a5" -#define FWU_METADATA_CANONICAL_UUID "8a7a84a0-8387-40f6-ab41-a8b9a5a60d23" -+#define FWU_UPDATE_AGENT_CANONICAL_UUID "6823a838-1b06-470e-9774-0cce8bfb53fd" -+#define FWU_DIRECTORY_CANONICAL_UUID "deee58d9-5147-4ad3-a290-77666e2341a5" -+#define FWU_METADATA_CANONICAL_UUID "8a7a84a0-8387-40f6-ab41-a8b9a5a60d23" -+#define EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID "63a222b1-6136-684f-9929-78f8b0d62180" ++#define FWU_UPDATE_AGENT_CANONICAL_UUID "6823a838-1b06-470e-9774-0cce8bfb53fd" ++#define FWU_DIRECTORY_CANONICAL_UUID "deee58d9-5147-4ad3-a290-77666e2341a5" ++#define FWU_METADATA_CANONICAL_UUID "8a7a84a0-8387-40f6-ab41-a8b9a5a60d23" ++#define EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID "63a222b1-6136-684f-9929-78f8b0d62180" #define FWU_OPEN_OP_TYPE_READ (0) #define FWU_OPEN_OP_TYPE_WRITE (1) @@ -154,13 +266,13 @@ index 4bcacb1f..aa5d2561 100644 + * @brief Information about the ESRT v1. + */ +struct __attribute__((__packed__)) efi_system_resource_entry { -+ uint8_t fw_class[OSF_UUID_OCTET_LEN]; -+ uint32_t fw_type; -+ uint32_t fw_version; -+ uint32_t lowest_supported_fw_version; -+ uint32_t capsule_flags; -+ uint32_t last_attempt_version; -+ uint32_t last_attempt_status; ++ uint8_t fw_class[OSF_UUID_OCTET_LEN]; ++ uint32_t fw_type; ++ uint32_t fw_version; ++ uint32_t lowest_supported_fw_version; ++ uint32_t capsule_flags; ++ uint32_t last_attempt_version; ++ uint32_t last_attempt_status; +}; + +struct __attribute__((__packed__)) efi_system_resource_table { @@ -174,5 +286,5 @@ index 4bcacb1f..aa5d2561 100644 uint8_t img_type_uuid[OSF_UUID_OCTET_LEN]; uint32_t client_permissions; -- -2.25.1 +2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch index e92b80ef..86868071 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch @@ -1,31 +1,84 @@ -From 7953806fd3fdb743c40b76e363b917fac786c636 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Tue, 11 Mar 2025 13:33:36 +0000 -Subject: [PATCH 10/11] platform: corstone1000: Add event provider proxy +From 6a4cedce9d433bc42a71ac77c3cd90dde4242951 Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Tue, 5 Aug 2025 15:22:44 +0100 +Subject: [PATCH 2/7] platform: corstone1000: Add event provider proxy for boot + confirmation handling -Normal world needs to send boot confirmation event -to Secure Enclave and Trusted-Services is responsible -to transfer the event to Secure Enclave. -This commit implements the event handling framework in -SE-proxy-SP and develops event provider proxy which -forwards the event to Secure Enclave via psa calls. -This change is introduced for Corstone-1000 +This patch introduces an event forwarding framework to support +delivery of boot confirmation events from the normal world to the +Secure Enclave for the Corstone-1000 platform. -Upstream-Status: Pending +Key changes: +- Implements an `event_provider` service in the SE-Proxy SP that + processes boot confirmation events received from the host. +- Forwards the events to the Secure Enclave using PSA calls to + the `TFM_PLATFORM_SERVICE_HANDLE` and `TFM_PLATFORM_API_ID_IOCTL`. +- Defines and registers a proxy factory (`event_handler_proxy_create`) + to initialize and connect the event provider with the RSE comms + backend. +- Adds associated infrastructure in `infra.cmake` and headers to + support integration with the service framework. + +This mechanism ensures the SE-Proxy SP can relay important boot status +events (e.g., FWU boot confirmation) to the Secure Enclave for secure +state updates and lifecycle management. + +Upstream-Status: Backport [6a4cedce9d433bc42a71ac77c3cd90dde4242951] Signed-off-by: Harsimran Singh Tungal +Signed-off-by: Hugues KAMBA MPIANA --- + .../service/common/include/psa/client.h | 28 +++++++ components/service/common/include/psa/sid.h | 9 ++ - .../se-proxy/env/commonsp/se_proxy_sp.c | 16 +++- - .../corstone1000_event_handling.c | 91 +++++++++++++++++++ - .../corstone1000_event_handling.h | 42 +++++++++ - .../se-proxy/infra/corstone1000/infra.cmake | 1 + - .../corstone1000/service_proxy_factory.c | 27 ++++++ - 6 files changed, 184 insertions(+), 2 deletions(-) + .../corstone1000_event_handling.c | 83 +++++++++++++++++++ + .../corstone1000_event_handling.h | 40 +++++++++ + .../se-proxy/infra/corstone1000/infra.cmake | 6 ++ + .../infra/corstone1000/spf_event_handler.c | 44 ++++++++++ + 6 files changed, 210 insertions(+) create mode 100644 deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.c create mode 100644 deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.h + create mode 100644 deployments/se-proxy/infra/corstone1000/spf_event_handler.c +diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h +index db40d7af..7e3092ae 100644 +--- a/components/service/common/include/psa/client.h ++++ b/components/service/common/include/psa/client.h +@@ -96,6 +96,34 @@ inline static uint32_t psa_ptr_const_to_u32(const void *ptr) + return (uintptr_t)ptr; + } + ++static inline bool psa_ptr_would_truncate_u32(const void *ptr) ++{ ++#if UINTPTR_MAX > UINT32_MAX ++ return (uintptr_t)ptr & ~((uintptr_t)UINT32_MAX); ++#else ++ (void)ptr; ++ return false; ++#endif ++} ++ ++static inline psa_status_t psa_ptr_const_to_u32_checked(const void *src, uint32_t *dst) ++{ ++ if (psa_ptr_would_truncate_u32(src)) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ *dst = (uint32_t)(uintptr_t)src; ++ return PSA_SUCCESS; ++} ++ ++static inline psa_status_t psa_ptr_to_u32_checked(void *src, uint32_t *dst) ++{ ++ if (psa_ptr_would_truncate_u32(src)) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ *dst = (uint32_t)(uintptr_t)src; ++ return PSA_SUCCESS; ++} ++ + /*************************** PSA Client API **********************************/ + + /** diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 0235764d..9f5ea05e 100644 +index 0235764d..baf16fed 100644 --- a/components/service/common/include/psa/sid.h +++ b/components/service/common/include/psa/sid.h @@ -40,6 +40,15 @@ extern "C" { @@ -39,57 +92,17 @@ index 0235764d..9f5ea05e 100644 +/** + * \brief Define a progressive numerical value for each SID which can be used + * when dispatching the requests to the service -+*/ ++ */ + /******** TFM_SP_PLATFORM ********/ #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -index 9f94092b..ce1410b2 100644 ---- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c -+++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -@@ -1,6 +1,6 @@ - // SPDX-License-Identifier: BSD-3-Clause - /* -- * Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021-2025, Arm Limited and Contributors. All rights reserved. - */ - - #include "components/rpc/common/endpoint/rpc_service_interface.h" -@@ -42,7 +42,7 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - goto fatal_error; - } - -- rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 6, 16); -+ rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 7, 16); - if (rpc_status != RPC_SUCCESS) { - EMSG("Failed to initialize RPC endpoint: %d", rpc_status); - goto fatal_error; -@@ -97,6 +97,18 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - goto fatal_error; - } - -+ rpc_iface = event_handler_proxy_create(); -+ if (!rpc_iface) { -+ EMSG("Failed to create Capsule Update proxy"); -+ goto fatal_error; -+ } -+ -+ rpc_status = ts_rpc_endpoint_sp_add_service(&rpc_endpoint, rpc_iface); -+ if (rpc_status != RPC_SUCCESS) { -+ EMSG("Failed to add service to RPC endpoint: %d", rpc_status); -+ goto fatal_error; -+ } -+ - rpc_iface = fwu_proxy_create(); - if (!rpc_iface) { - EMSG("Failed to create FWU proxy"); diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.c b/deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.c new file mode 100644 -index 00000000..faf450f2 +index 00000000..524db58d --- /dev/null +++ b/deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.c -@@ -0,0 +1,91 @@ +@@ -0,0 +1,83 @@ +/* + * Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. + * @@ -115,78 +128,70 @@ index 00000000..faf450f2 + +/* Handler mapping table for service */ +static const struct service_handler handler_table[] = { -+ {OPCODE_BOOT_CONFIRMED, boot_confirmed_handler} ++ {.opcode = OPCODE_BOOT_CONFIRMED, .invoke = boot_confirmed_handler} +}; + -+struct rpc_service_interface *corstone1000_event_provider_init( -+ struct event_provider *context) ++struct rpc_service_interface *corstone1000_event_provider_init(struct event_provider *context) +{ -+ struct rpc_service_interface *rpc_interface = NULL; -+ const struct rpc_uuid dummy_uuid = { .uuid = { 0 }}; + if (!context) + return NULL; + -+ service_provider_init( -+ &context->base_provider, -+ context, -+ &dummy_uuid, -+ handler_table, -+ sizeof(handler_table)/sizeof(struct service_handler)); -+ -+ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); ++ service_provider_init(&context->base_provider, context, ++ &(const struct rpc_uuid){.uuid = { 0 }}, handler_table, ++ sizeof(handler_table) / sizeof(struct service_handler)); + -+ return rpc_interface; ++ return service_provider_get_rpc_interface(&context->base_provider); +} + +static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface *caller) +{ ++ if (!caller) { ++ EMSG("%s rpc_caller is NULL", __func__); ++ return TS_RPC_ERROR_RESOURCE_FAILURE; ++ } ++ ++ IMSG("%s opcode %x", __func__, opcode); ++ + uint32_t ioctl_id; -+ rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; ++ uint32_t mem_buf_start_addr; ++ ++ if (psa_ptr_to_u32_checked(&ioctl_id, &mem_buf_start_addr) != PSA_SUCCESS) { ++ EMSG("%s start address of the memory buffer does not fit in 32 bits", __func__); ++ return TS_RPC_ERROR_INTERNAL; ++ } + + struct psa_invec in_vec[] = { -+ { .base = &ioctl_id, .len = sizeof(ioctl_id) } ++ { .base = mem_buf_start_addr, .len = sizeof(ioctl_id) } + }; + -+ if(!caller) { -+ EMSG("event_handler rpc_caller is NULL"); -+ rpc_status = TS_RPC_ERROR_RESOURCE_FAILURE; -+ return rpc_status; -+ } -+ -+ IMSG("event handler opcode %x", opcode); -+ switch(opcode) { -+ case OPCODE_BOOT_CONFIRMED: ++ switch (opcode) { ++ case OPCODE_BOOT_CONFIRMED: + ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK; -+ /* Boot Confirmed event from Normal World */ -+ -+ psa_call(caller,TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, -+ in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ ++ psa_call(caller, TFM_PLATFORM_SERVICE_HANDLE, TFM_PLATFORM_API_ID_IOCTL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); + break; -+ default: -+ EMSG("%s unsupported opcode", __func__); -+ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ ++ default: ++ EMSG("%s unsupported opcode", __func__); ++ return TS_RPC_ERROR_INVALID_PARAMETER; + } -+ return rpc_status; + ++ return TS_RPC_CALL_ACCEPTED; +} + +static rpc_status_t boot_confirmed_handler(void *context, struct rpc_request *req) +{ -+ struct event_provider *this_instance = (struct event_provider*)context; -+ struct rpc_caller_interface *caller = this_instance->client.session->caller; -+ uint32_t opcode = req->opcode; -+ rpc_status_t rpc_status; -+ -+ rpc_status = event_handler(opcode, caller); ++ struct event_provider *this_instance = (struct event_provider *)context; + -+ return rpc_status; ++ return event_handler(req->opcode, this_instance->client.session->caller); +} diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.h b/deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.h new file mode 100644 -index 00000000..e8e60dae +index 00000000..ecb2d6b8 --- /dev/null +++ b/deployments/se-proxy/infra/corstone1000/corstone1000_event_handling.h -@@ -0,0 +1,42 @@ +@@ -0,0 +1,40 @@ +/* + * Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. + * @@ -208,8 +213,7 @@ index 00000000..e8e60dae + * The event_provider is a service provider that accepts events + * and delegates them to a suitable backend. + */ -+struct event_provider -+{ ++struct event_provider { + struct service_provider base_provider; + struct service_client client; +}; @@ -221,8 +225,7 @@ index 00000000..e8e60dae + * + * \return An rpc_service_interface or NULL on failure + */ -+struct rpc_service_interface *corstone1000_event_provider_init( -+ struct event_provider *context); ++struct rpc_service_interface *corstone1000_event_provider_init(struct event_provider *context); + +#ifdef __cplusplus +} /* extern "C" */ @@ -230,34 +233,48 @@ index 00000000..e8e60dae + +#endif /* CORSTONE1000_EVENT_HANDLING_H */ diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake -index 2bf6b36e..1ec43700 100644 +index 22d1542d..f0c2e58e 100644 --- a/deployments/se-proxy/infra/corstone1000/infra.cmake +++ b/deployments/se-proxy/infra/corstone1000/infra.cmake -@@ -33,4 +33,5 @@ add_components(TARGET "se-proxy" - target_sources(se-proxy PRIVATE - - ${CMAKE_CURRENT_LIST_DIR}/service_proxy_factory.c +@@ -14,6 +14,12 @@ set(CFG_ENABLE_CRYPTO On) + set(CFG_ENABLE_CRYPTO_NANO On) + set(CFG_ENABLE_IAT On) + set(CFG_ENABLE_FWU On) ++ ++target_sources(se-proxy PRIVATE ++ ${CMAKE_CURRENT_LIST_DIR}/spf_event_handler.c + ${CMAKE_CURRENT_LIST_DIR}/corstone1000_event_handling.c - ) -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index a754ace7..6d8c3855 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -20,6 +20,7 @@ - #include - #include - #include "corstone1000_config.h" ++) ++ + #------------------------------------------------------------------------------- + # Infrastructure components + # +diff --git a/deployments/se-proxy/infra/corstone1000/spf_event_handler.c b/deployments/se-proxy/infra/corstone1000/spf_event_handler.c +new file mode 100644 +index 00000000..92820259 +--- /dev/null ++++ b/deployments/se-proxy/infra/corstone1000/spf_event_handler.c +@@ -0,0 +1,44 @@ ++/* ++ * Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include ++#include "deployments/se-proxy/env/commonsp/proxy_service_factory_list.h" ++#include "rpc/common/caller/rpc_caller.h" ++#include "rpc/common/caller/rpc_caller_session.h" ++#include "rpc/common/interface/rpc_status.h" ++#include "rpc/common/interface/rpc_uuid.h" ++#include "rpc/rse_comms/caller/sp/rse_comms_caller.h" ++ +#include "corstone1000_event_handling.h" - - /* backends */ - #include -@@ -164,6 +165,32 @@ struct rpc_service_interface *its_proxy_create(void) - return secure_storage_provider_init(&its_provider, backend, &its_uuid); - } - ++ +struct rpc_service_interface *event_handler_proxy_create(void) +{ + static struct event_provider event_provider = {0}; ++ const struct rpc_uuid dummy_uuid = { .uuid = { 0 }}; + rpc_status_t rpc_status = RPC_ERROR_INTERNAL; + + /* Static objects for proxy instance */ @@ -272,7 +289,6 @@ index a754ace7..6d8c3855 100644 + if (rpc_status != RPC_SUCCESS) + return NULL; + -+ + event_provider.client.session = &rpc_session; + event_provider.client.rpc_status = RPC_SUCCESS; + event_provider.client.service_info.supported_encodings = 0; @@ -281,9 +297,8 @@ index a754ace7..6d8c3855 100644 + return corstone1000_event_provider_init(&event_provider); +} + - struct rpc_service_interface *fwu_proxy_create(void) - { - rpc_status_t rpc_status = RPC_ERROR_INTERNAL; ++ADD_PROXY_SERVICE_FACTORY(event_handler_proxy_create, ++ EVENT_HANDLER_PROXY, SE_PROXY_INTERFACE_PRIO_FWU + 1); -- -2.34.1 +2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch index 61ab4680..8d13cedf 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch @@ -1,30 +1,148 @@ -From 6a26d67c0b531af07537aefcbe7a46fc71471d4f Mon Sep 17 00:00:00 2001 -From: Ali Can Ozaslan -Date: Thu, 27 Mar 2025 13:42:03 +0000 -Subject: [PATCH 8/8] platform: corstone1000: Define GUID for FWU payloads +From a518c74b7ce050bba2d0aaece701086dc50ffa53 Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Tue, 5 Aug 2025 13:54:13 +0100 +Subject: [PATCH 3/7] fwu:se-proxy: Allow platform override of FWU mapping and + payload size -Specify the Global Unique Identifiers (GUIDs) for firmware update (FWU) -payloads, which include BL2, TFM_S, FIP, and INITRAMFS. -Note that the GUIDs differ between FVP and MPS3 platforms. +Allow platform override of FWU mapping and payload size +by updating the SE-Proxy deployment to support +platform-specific overrides for Firmware Update configuration +parameters. -Upstream-Status: Pending -Signed-off-by: Ali Can Ozaslan +Specifically, it introduces configurable macros for the image mapping +table (`img_mapping`), the number of mapping entries +(`IMAGE_MAPPING_ELEMENT_COUNT`), and the maximum payload size +(`MAX_PAYLOAD_SIZE`). +Default values are provided if not defined by the platform. + +Corstone-1000 is supplying its own image mapping +layout and FWU buffer size by defining these symbols. + +`corstone1000_config.h` and `corstone1000_config.c` containing +platform-specific FWU configuration parameters for Corstone-1000 +are added. + +Key definitions include: +- UUIDs for firmware images used on FVP and MPS3 variants. +- An enum `fwu_image_index` to identify the image index in the capsule. + +This configuration enables consistent and reusable FWU integration +across Corstone-1000 platforms in the SE-Proxy deployment. + +Additionaly `psa_fwu_m_update_agent_init()` call is moved after +`psa_fwu_ipc_init()` because the former uses PSA API calls which can +only be used when the IPC framework has been initialized. + +Upstream-Status: Backport [a518c74b7ce050bba2d0aaece701086dc50ffa53] Signed-off-by: Harsimran Singh Tungal +Signed-off-by: Ali Can Ozaslan +Signed-off-by: Bence Balogh +Signed-off-by: Hugues KAMBA MPIANA --- - .../infra/corstone1000/corstone1000_config.h | 43 ++++++++++++++++--- - .../corstone1000/service_proxy_factory.c | 41 +++++++++++++++--- - 2 files changed, 73 insertions(+), 11 deletions(-) + .../psa_fwu_m/agent/psa_fwu_m_update_agent.h | 3 + + .../infra/corstone1000/corstone1000_config.c | 56 +++++++++++++++++ + .../infra/corstone1000/corstone1000_config.h | 60 +++++++++++++++++++ + .../se-proxy/infra/corstone1000/infra.cmake | 10 ++++ + deployments/se-proxy/infra/rse/spf_fwu.c | 11 +++- + 5 files changed, 139 insertions(+), 1 deletion(-) + create mode 100644 deployments/se-proxy/infra/corstone1000/corstone1000_config.c + create mode 100644 deployments/se-proxy/infra/corstone1000/corstone1000_config.h +diff --git a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h +index 3c06570d..6354b8ba 100644 +--- a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h ++++ b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h +@@ -41,6 +41,9 @@ struct update_agent *psa_fwu_m_update_agent_init( + */ + void psa_fwu_m_update_agent_deinit(struct update_agent *update_agent); + ++/* This should be defined by the platform */ ++extern struct psa_fwu_m_image_mapping img_mapping[]; ++ + #ifdef __cplusplus + } + #endif +diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.c b/deployments/se-proxy/infra/corstone1000/corstone1000_config.c +new file mode 100644 +index 00000000..0cc0dee9 +--- /dev/null ++++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.c +@@ -0,0 +1,56 @@ ++/* ++ * Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h" ++#include "protocols/service/fwu/fwu_proto.h" ++ ++#include "corstone1000_config.h" ++ ++#ifndef CORSTONE_1000_TYPE ++#error "CORSTONE_1000_TYPE is not defined." ++#endif ++ ++struct psa_fwu_m_image_mapping img_mapping[IMAGE_MAPPING_ELEMENT_COUNT] = { ++#if (CORSTONE_1000_TYPE == CORSTONE_1000_TYPE_CORTEX_A35_FVP) ++ { ++ .uuid = FWU_FVP_BL2_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_BL2 ++ }, ++ { ++ .uuid = FWU_FVP_TFM_S_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S ++ }, ++ { ++ .uuid = FWU_FVP_FIP_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_FIP ++ }, ++ { ++ .uuid = FWU_FVP_INITRAMFS_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS ++ }, ++#elif (CORSTONE_1000_TYPE == CORSTONE_1000_TYPE_CORTEX_A35_MPS3) ++ { ++ .uuid = FWU_MPS3_BL2_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_BL2 ++ }, ++ { ++ .uuid = FWU_MPS3_TFM_S_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S ++ }, ++ { ++ .uuid = FWU_MPS3_FIP_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_FIP ++ }, ++ { ++ .uuid = FWU_MPS3_INITRAMFS_CAPSULE_UUID, ++ .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS ++ }, ++#else ++#error "Unsupported CORSTONE_1000_TYPE value. Valid values are: 0 (Corstone-1000 with " \ ++ "Cortex-A35 FVP), 1 (Corstone-1000 with Cortex-A35 MPS3)" ++#endif ++}; diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -index 4a68c2fa..c4bd9c2c 100644 ---- a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h +new file mode 100644 +index 00000000..59662ee3 +--- /dev/null +++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -@@ -11,17 +11,48 @@ - /* Maximum payload size to be transferred at once to Secure Enclave */ - #define MAX_PAYLOAD_SIZE 4096 - --#define CORSTONE1000_FVP_FULL_CAPSULE_UUID \ --{ 0x4e, 0x3a, 0x9f, 0x98, 0xe0, 0x46, 0xd0, 0x4c, 0x98, 0x77, 0xa2, 0x5c, 0x70, 0xc0, 0x13, 0x29, } +@@ -0,0 +1,60 @@ ++/* ++ * Copyright (c) 2025, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef CORSTONE1000_CONFIG_H ++#define CORSTONE1000_CONFIG_H ++ ++#define CORSTONE_1000_TYPE_CORTEX_A35_FVP 0 // Corstone-1000 with Cortex-A35 FVP ++#define CORSTONE_1000_TYPE_CORTEX_A35_MPS3 1 // Corstone-1000 with Cortex-A35 MPS3 ++ +/* + * GUIDs for capsule updatable firmware images + * @@ -55,87 +173,73 @@ index 4a68c2fa..c4bd9c2c 100644 + +#define FWU_MPS3_FIP_CAPSULE_UUID \ +{ 0x96, 0x2f, 0x30, 0x55, 0xf0, 0xc4, 0xf9, 0x5c, 0x86, 0x24, 0xe7, 0xcc, 0x38, 0x8f, 0x2b, 0x68, } - --#define CORSTONE1000_MPS3_FULL_CAPSULE_UUID \ --{ 0xd1, 0x65, 0x18, 0xdf, 0xfb, 0x90, 0x59, 0x4d, 0x9c, 0x38, 0xc9, 0xf2, 0xc1, 0xbb, 0xa8, 0xcc, } ++ +#define FWU_MPS3_INITRAMFS_CAPSULE_UUID \ +{ 0x72, 0xc9, 0x8a, 0x3e, 0x3c, 0xc3, 0xc9, 0x5c, 0x90, 0xa0, 0xcd, 0xd3, 0x15, 0x96, 0x83, 0xea, } - - /* Image indexes in the UEFI capsule */ - enum fwu_image_index - { -- FWU_IMAGE_INDEX_FULL_CAPSULE = 1, -- FWU_IMAGE_INDEX_ESRT, ++ ++ /* Image indexes in the UEFI capsule */ ++enum fwu_image_index { + FWU_IMAGE_INDEX_CAPSULE_BL2 = 1, + FWU_IMAGE_INDEX_CAPSULE_TFM_S, + FWU_IMAGE_INDEX_CAPSULE_FIP, + FWU_IMAGE_INDEX_CAPSULE_INITRAMFS, -+ FWU_IMAGE_INDEX_ESRT , - }; ++ FWU_IMAGE_INDEX_ESRT, ++ ++ FWU_IMAGE_INDEX_LAST = FWU_IMAGE_INDEX_ESRT, ++ FWU_IMAGE_INDEX_COUNT = FWU_IMAGE_INDEX_LAST, ++}; ++ ++#endif /* CORSTONE1000_CONFIG_H */ +diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake +index f0c2e58e..8e0ac95f 100644 +--- a/deployments/se-proxy/infra/corstone1000/infra.cmake ++++ b/deployments/se-proxy/infra/corstone1000/infra.cmake +@@ -33,4 +33,14 @@ add_components(TARGET "se-proxy" + "components/messaging/rse_comms/sp" + ) - #endif /* CORSTONE1000_CONFIG_H */ -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index ed42e2cb..43a9ac37 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -28,7 +28,14 @@ - #include - #include ++if (CFG_ENABLE_FWU) ++ target_sources(se-proxy PRIVATE ++ ${CMAKE_CURRENT_LIST_DIR}/corstone1000_config.c ++ ) ++ ++ target_include_directories(se-proxy PRIVATE ++ ${CMAKE_CURRENT_LIST_DIR} ++ ) ++endif() ++ + include(../../infra/rse/service_proxy_factory.cmake REQUIRED) +diff --git a/deployments/se-proxy/infra/rse/spf_fwu.c b/deployments/se-proxy/infra/rse/spf_fwu.c +index 4f123ba1..90f200e1 100644 +--- a/deployments/se-proxy/infra/rse/spf_fwu.c ++++ b/deployments/se-proxy/infra/rse/spf_fwu.c +@@ -18,6 +18,14 @@ + #include "service/fwu/common/update_agent_interface.h" + #include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" --/* IMAGE_MAPPING_ELEMENT_COUNT includes the number of images to be updated and ESRT image */ -+/* IMAGE_MAPPING_ELEMENT_COUNT includes the number of images to be updated and ESRT image. -+ * It includes: -+ * - BL2 -+ * - TFM_S -+ * - FIP -+ * - INITRAMFS -+ * - ESRT -+ */ - #define IMAGE_MAPPING_ELEMENT_COUNT (FWU_IMAGE_CAPSULE_COUNT + 1) ++#ifndef IMAGE_MAPPING_ELEMENT_COUNT ++#define IMAGE_MAPPING_ELEMENT_COUNT 0 ++#endif ++ ++#ifndef MAX_PAYLOAD_SIZE ++#define MAX_PAYLOAD_SIZE 4096 ++#endif ++ + struct rpc_service_interface *fwu_proxy_create(void) + { + rpc_status_t rpc_status = RPC_ERROR_INTERNAL; +@@ -38,9 +46,10 @@ struct rpc_service_interface *fwu_proxy_create(void) + if (rpc_status != RPC_SUCCESS) + return NULL; - /* The index to access the ESRT image in the psa_fwu_m_image_mapping structure -@@ -41,13 +48,37 @@ static const struct rpc_uuid dummy_uuid = { 0 }; - static struct psa_fwu_m_image_mapping img_mapping[IMAGE_MAPPING_ELEMENT_COUNT] = { - #if PLATFORM_IS_FVP - { -- .uuid = CORSTONE1000_FVP_FULL_CAPSULE_UUID, -- .component = FWU_IMAGE_INDEX_FULL_CAPSULE -+ .uuid = FWU_FVP_BL2_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_BL2 -+ }, -+ { -+ .uuid = FWU_FVP_TFM_S_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S -+ }, -+ { -+ .uuid = FWU_FVP_FIP_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_FIP -+ }, -+ { -+ .uuid = FWU_FVP_INITRAMFS_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS - }, - #else - { -- .uuid = CORSTONE1000_MPS3_FULL_CAPSULE_UUID, -- .component = FWU_IMAGE_INDEX_FULL_CAPSULE -+ .uuid = FWU_MPS3_BL2_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_BL2 -+ }, -+ { -+ .uuid = FWU_MPS3_TFM_S_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_TFM_S -+ }, -+ { -+ .uuid = FWU_MPS3_FIP_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_FIP -+ }, -+ { -+ .uuid = FWU_MPS3_INITRAMFS_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_CAPSULE_INITRAMFS - }, - #endif - }; +- agent = psa_fwu_m_update_agent_init(NULL, 0, 4096); + if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) + return NULL; ++ agent = psa_fwu_m_update_agent_init(img_mapping, IMAGE_MAPPING_ELEMENT_COUNT, ++ MAX_PAYLOAD_SIZE); + + return fwu_provider_init(&fwu_provider, agent); + } -- -2.25.1 +2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Add-the-com-buffer-address-and-page-count.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Add-the-com-buffer-address-and-page-count.patch index ffca2adb..2625dc18 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Add-the-com-buffer-address-and-page-count.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Add-the-com-buffer-address-and-page-count.patch @@ -1,34 +1,35 @@ -From 2eef8097c6411fb54b2d0203159e120d192315c7 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Thu, 24 Jul 2025 10:33:41 +0000 -Subject: [PATCH] Plat: Corstone-1000: Add MM communication buffer configs to - CMake +From 333422fd06ccf69de8052988ec42398cec12ac3f Mon Sep 17 00:00:00 2001 +From: Hugues KAMBA MPIANA +Date: Fri, 8 Aug 2025 00:18:16 +0100 +Subject: [PATCH] platform: corstone1000: Add MM communication buffer + configs to CMake Two variables are added into the Corstone-1000 platform CMake file so the MM communication buffer address and the page count can be configured. -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/40893] -Change-Id: I6bbdc90231b0417d4318d6709568113ab1f2c8ce +Upstream-Status: Backport [d49a99d6ade219a617741001fb23016d791855ee] Signed-off-by: Michael Safwat Signed-off-by: Harsimran Singh Tungal --- - platform/providers/arm/corstone1000/platform.cmake | 2 ++ - 1 file changed, 2 insertions(+) + platform/providers/arm/corstone1000/platform.cmake | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index db1e9743..88113c9d 100644 +index 3aeb4922..aeeb8fb4 100644 --- a/platform/providers/arm/corstone1000/platform.cmake +++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -18,6 +18,8 @@ set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") - set(PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSE_COMMS_PAYLOAD buffer") +@@ -12,6 +12,10 @@ set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") + set(PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSS_COMMS_PAYLOAD buffer") set(COMMS_MHU_MSG_SIZE 0x4500 CACHE STRING "Max message size that can be transfered via MHU") - set(TFM_FWU_MAX_DIGEST_SIZE ${TOTAL_ESRT_SIZE} CACHE STRING "Maximum size of ESRT entries of all the images in a bank") + +set(MM_COMM_BUFFER_ADDRESS "0x00000000 0x81FFF000" CACHE STRING "MM Communication buffer start address") +set(MM_COMM_BUFFER_PAGE_COUNT 0x1 CACHE STRING "MM Communication buffer page count") - ++ ++ target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 + PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} + COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} -- 2.43.0 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch new file mode 100644 index 00000000..d79e9e99 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch @@ -0,0 +1,194 @@ +From 44e56b28f6a5ea9caab0bcccce3d02c59bb5d0ce Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Tue, 19 Aug 2025 11:07:39 +0200 +Subject: [PATCH 1/8] Make treating warnings as errors configurable + +Introduce the CMAKE_COMPILE_WARNING_AS_ERROR build option to control +whether the project treats compiler warnings as errors. This option is +enabled by default (On) and can be overridden via the CMake command line +using the -D flag or with an environment variable with the same name. +If both are specified, the command-line option takes precedence over the +environment variable. + +Enforcing warnings as errors helps maintain code quality, which is +especially important for security-focused projects. However, this can be +problematic for system integrators using newer compiler versions than +those used in upstream CI, as new compilers may introduce additional +warnings that cause builds to fail. +This option provides a temporary workaround by allowing such builds to +proceed until the warnings are addressed properly. + +Upstream-Status: Backport [44e56b28f6a5ea9caab0bcccce3d02c59bb5d0ce] +Signed-off-by: Gyorgy Szing +--- + .../arm-linux/default_toolchain_file.cmake | 24 +++++++++++++++++-- + .../linux-pc/default_toolchain_file.cmake | 23 ++++++++++++++++-- + .../opteesp/default_toolchain_file.cmake | 23 ++++++++++++++++-- + environments/sp/default_toolchain_file.cmake | 21 +++++++++++++++- + 4 files changed, 84 insertions(+), 7 deletions(-) + +diff --git a/environments/arm-linux/default_toolchain_file.cmake b/environments/arm-linux/default_toolchain_file.cmake +index 7e565dd2..d5900b05 100644 +--- a/environments/arm-linux/default_toolchain_file.cmake ++++ b/environments/arm-linux/default_toolchain_file.cmake +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2025, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -19,9 +19,29 @@ set(CMAKE_SYSTEM_PROCESSOR arm) + + set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") + set(TS_MANDATORY_AARCH_FLAGS "-mstrict-align -march=armv8-a+crc -DARM64=1" CACHE STRING "Compiler flags configuring architecture specific ") +-set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") ++set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.") + ++# Allow defining the "warning as error behavior" using an environment variable. But prioritize command line ++# definition if present. ++# If a cache variable is not present ++if(NOT DEFINED CACHE{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ # And an environment variable is, copy its value to the cache ++ if (DEFINED ENV{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ set(CMAKE_COMPILE_WARNING_AS_ERROR $ENV{CMAKE_COMPILE_WARNING_AS_ERROR} CACHE Bool "If compilation warnings should be treated as errors.") ++ endif() ++endif() ++ ++# By default warnings should be treated as errors. ++set(CMAKE_COMPILE_WARNING_AS_ERROR On CACHE BOOL "If compilation warnings should be treated as errors.") ++ ++# Cmake v3.24 + shall set the warning flag automatically, but does not when processing our deployments. As a workaround ++# set -Werror manually always as setting it twice shall have no ill effect. ++if (CMAKE_COMPILE_WARNING_AS_ERROR) ++ string(APPEND TS_WARNING_FLAGS " -Werror") ++endif() ++ ++ + # branch-protection enables bti/pac while compile force-bti tells the linker to + # warn if some object files lack the .note.gnu.property section with the BTI + # flag, and to turn on the BTI flag in the output anyway. +diff --git a/environments/linux-pc/default_toolchain_file.cmake b/environments/linux-pc/default_toolchain_file.cmake +index 2215d6b5..010105c2 100644 +--- a/environments/linux-pc/default_toolchain_file.cmake ++++ b/environments/linux-pc/default_toolchain_file.cmake +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2025, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -11,9 +11,28 @@ include_guard(GLOBAL) + + set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") + set(TS_MANDATORY_AARCH_FLAGS "" CACHE STRING "Compiler flags configuring architecture specific ") +-set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") ++set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.") + ++# Allow defining the "warning as error behavior" using an environment variable. But prioritize command line ++# definition if present. ++# If a cache variable is not present ++if(NOT DEFINED CACHE{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ # And an environment variable is, copy its value to the cache ++ if (DEFINED ENV{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ set(CMAKE_COMPILE_WARNING_AS_ERROR $ENV{CMAKE_COMPILE_WARNING_AS_ERROR} CACHE Bool "If compilation warnings should be treated as errors.") ++ endif() ++endif() ++ ++# By default warnings should be treated as errors. ++set(CMAKE_COMPILE_WARNING_AS_ERROR On CACHE BOOL "If compilation warnings should be treated as errors.") ++ ++# Cmake v3.24 + shall set the warning flag automatically, but does not when processing our deployments. As a workaround ++# set -Werror manually always as setting it twice shall have no ill effect. ++if (CMAKE_COMPILE_WARNING_AS_ERROR) ++ string(APPEND TS_WARNING_FLAGS " -Werror") ++endif() ++ + # Set flags affecting all build types + string(APPEND CMAKE_C_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}") + string(APPEND CMAKE_CXX_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}") +diff --git a/environments/opteesp/default_toolchain_file.cmake b/environments/opteesp/default_toolchain_file.cmake +index b150b852..677e92ff 100644 +--- a/environments/opteesp/default_toolchain_file.cmake ++++ b/environments/opteesp/default_toolchain_file.cmake +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2025, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -21,10 +21,29 @@ set(CMAKE_POSITION_INDEPENDENT_CODE True) + + set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") + set(TS_MANDATORY_AARCH_FLAGS "-fpic -mstrict-align -march=armv8-a+crc" CACHE STRING "Compiler flags configuring architecture specific ") +-set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") ++set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "-pie -Wl,--as-needed -Wl,--sort-section=alignment -zmax-page-size=4096" + CACHE STRING "Linker flags needed for correct builds.") + ++# Allow defining the "warning as error behavior" using an environment variable. But prioritize command line ++# definition if present. ++# If a cache variable is not present ++if(NOT DEFINED CACHE{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ # And an environment variable is, copy its value to the cache ++ if (DEFINED ENV{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ set(CMAKE_COMPILE_WARNING_AS_ERROR $ENV{CMAKE_COMPILE_WARNING_AS_ERROR} CACHE Bool "If compilation warnings should be treated as errors.") ++ endif() ++endif() ++ ++# By default warnings should be treated as errors. ++set(CMAKE_COMPILE_WARNING_AS_ERROR On CACHE BOOL "If compilation warnings should be treated as errors.") ++ ++# Cmake v3.24 + shall set the warning flag automatically, but does not when processing our deployments. As a workaround ++# set -Werror manually always as setting it twice shall have no ill effect. ++if (CMAKE_COMPILE_WARNING_AS_ERROR) ++ string(APPEND TS_WARNING_FLAGS " -Werror") ++endif() ++ + # branch-protection enables bti/pac while compile force-bti tells the linker to + # warn if some object files lack the .note.gnu.property section with the BTI + # flag, and to turn on the BTI flag in the output anyway. +diff --git a/environments/sp/default_toolchain_file.cmake b/environments/sp/default_toolchain_file.cmake +index d41ecec5..bbe4fb91 100644 +--- a/environments/sp/default_toolchain_file.cmake ++++ b/environments/sp/default_toolchain_file.cmake +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2025, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -24,6 +24,25 @@ set(TS_MANDATORY_AARCH_FLAGS "-fpie -mstrict-align -march=armv8-a+crc" CACHE STR + set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "-Wl,-pie -Wl,--no-dynamic-linker -Wl,--sort-section=alignment -zmax-page-size=4096" CACHE STRING "Linker flags needed for correct builds.") + ++# Allow defining the "warning as error behavior" using an environment variable. But prioritize command line ++# definition if present. ++# If a cache variable is not present ++if(NOT DEFINED CACHE{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ # And an environment variable is, copy its value to the cache ++ if (DEFINED ENV{CMAKE_COMPILE_WARNING_AS_ERROR}) ++ set(CMAKE_COMPILE_WARNING_AS_ERROR $ENV{CMAKE_COMPILE_WARNING_AS_ERROR} CACHE Bool "If compilation warnings should be treated as errors.") ++ endif() ++endif() ++ ++# By default warnings should be treated as errors. ++set(CMAKE_COMPILE_WARNING_AS_ERROR On CACHE BOOL "If compilation warnings should be treated as errors.") ++ ++# Cmake v3.24 + shall set the warning flag automatically, but does not when processing our deployments. As a workaround ++# set -Werror manually always as setting it twice shall have no ill effect. ++if (CMAKE_COMPILE_WARNING_AS_ERROR) ++ string(APPEND TS_WARNING_FLAGS " -Werror") ++endif() ++ + # branch-protection enables bti/pac while compile force-bti tells the linker to + # warn if some object files lack the .note.gnu.property section with the BTI + # flag, and to turn on the BTI flag in the output anyway. +-- +2.43.0 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch new file mode 100644 index 00000000..ee016245 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch @@ -0,0 +1,73 @@ +From 85c8535f448466cdbd773f7072a42203ebc6ae64 Mon Sep 17 00:00:00 2001 +From: Gabor Abonyi +Date: Fri, 4 Apr 2025 11:43:09 +0000 +Subject: [PATCH 01/25] psa-crypto: fix AEAD block cypher support + +This change enables support for block cyphers that require input data +to be processed in whole block-sized chunks. + +psa_aead_encrypt() may send all input data for encryption, but the +underlying implementation is permitted to return only full blocks. +Any remaining data is returned later via psa_aead_finish(). +Similarly, in psa_aead_decrypt(), extra decrypted data may be returned +during psa_aead_verify(). + +This update ensures compatibility with block-based hardware accelerators +by deferring partial block processing until finalisation steps. + +Upstream-Status: Backport [85c8535f448466cdbd773f7072a42203ebc6ae64] +Signed-off-by: Gabor Abonyi +--- + .../service/crypto/client/psa/psa_aead.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c +index c820d222..5d76f708 100644 +--- a/components/service/crypto/client/psa/psa_aead.c ++++ b/components/service/crypto/client/psa/psa_aead.c +@@ -7,6 +7,7 @@ + #include + #include "psa_crypto_client.h" + #include "crypto_caller_selector.h" ++#include + + psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, + psa_key_id_t key, +@@ -244,14 +245,19 @@ psa_status_t psa_aead_encrypt(psa_key_id_t key, + { + size_t remaining_aead_len = 0; + size_t tag_len = 0; ++ uint8_t tag[PSA_AEAD_TAG_MAX_SIZE]; + + psa_status = psa_aead_finish(&operation, +- NULL, 0, &remaining_aead_len, +- &aeadtext[bytes_output], aeadtext_size - bytes_output, &tag_len); ++ &aeadtext[bytes_output], aeadtext_size - bytes_output, &remaining_aead_len, ++ tag, PSA_AEAD_TAG_MAX_SIZE, &tag_len); + +- if (psa_status == PSA_SUCCESS) { ++ if (aeadtext_size < bytes_output + remaining_aead_len + tag_len) ++ psa_status = PSA_ERROR_BUFFER_TOO_SMALL; + +- *aeadtext_length = bytes_output + remaining_aead_len + tag_len; ++ if (psa_status == PSA_SUCCESS) { ++ bytes_output += remaining_aead_len; ++ memcpy(&aeadtext[bytes_output], tag, tag_len); ++ *aeadtext_length = bytes_output + tag_len; + } + else { + +@@ -301,8 +307,8 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key, + size_t remaining_plaintext_len = 0; + + psa_status = psa_aead_verify(&operation, +- NULL, 0, &remaining_plaintext_len, +- &aeadtext[bytes_output], aeadtext_length - bytes_output); ++ &plaintext[bytes_output], plaintext_size - bytes_output, ++ &remaining_plaintext_len, &aeadtext[ciphertext_len], tag_len); + + if (psa_status == PSA_SUCCESS) { + +-- +2.43.0 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 4d2dfa31..703c07cb 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -2,26 +2,19 @@ FILESEXTRAPATHS:prepend:corstone1000 := "${THISDIR}/corstone1000:" COMPATIBLE_MACHINE:corstone1000 = "corstone1000" SRC_URI:append:corstone1000 = " \ - file://0001-Fix-in-AEAD-for-psa-arch-test-254.patch \ - file://0002-Fix-psa-api-crypto-test-no-243.patch \ - file://0003-Remove-Werror-flag.patch \ - file://0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch \ - file://0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch \ - file://0006-Align-PSA-Crypto-with-TF-Mv2.1.patch \ - file://0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch \ - file://0008-se-proxy-protobuf-change.patch \ file://0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch \ - file://0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch \ - file://0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch \ - file://0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch \ - file://0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch \ - file://0014-fwu-Add-EFI-ESRT-v1-support.patch \ - file://0015-platform-corstone1000-Enable-ESRT-support.patch \ file://0016-platform-corstone1000-Add-event-provider-proxy.patch \ file://0017-platform-corstone1000-Define-GUID-for-each-payloads.patch \ + file://0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch \ file://0018-Add-the-com-buffer-address-and-page-count.patch \ - file://0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch \ - " + file://0014-fwu-Add-EFI-ESRT-v1-support.patch \ + file://0022-Make-treating-warnings-as-errors-configurable.patch \ + file://0003-Remove-Werror-flag.patch \ + file://0007-fwu-proxy-refactor-image-mapping.patch \ + file://0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch \ + file://0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch \ + file://0024-psa-crypto-fix-AEAD-block-cypher-support.patch \ +" # The patches above introduce errors with GCC 14.1, silence them for now CFLAGS:append:corstone1000 = " -Wno-int-conversion -Wno-implicit-function-declaration" @@ -30,4 +23,5 @@ TS_PLATFORM:fvp-base = "arm/fvp/fvp_base_revc-2xaemv8a" EXTRA_OECMAKE:append:corstone1000 = " \ -DCORSTONE_1000_TYPE=${CORSTONE_1000_TYPE} \ + -DCMAKE_COMPILE_WARNING_AS_ERROR=OFF \ " diff --git a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index 50e11117..210086fe 100644 --- a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -13,8 +13,7 @@ SRC_URI:append = "\ file://0005-cpputest-fix-cmake-4.0-compatibility.patch \ " -# Trusted Services; aka. v1.1.0 -SRCREV_trusted-services = "83bd53b6689ebb071bc13fcd4e01618bab2e74ca" +SRCREV_trusted-services = "v1.2.0" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${UNPACKDIR}/trusted-services" From patchwork Tue Sep 16 15:00:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugues KAMBA MPIANA X-Patchwork-Id: 70362 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD5A4CAC599 for ; Tue, 16 Sep 2025 15:00:26 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.585.1758034821627054562 for ; Tue, 16 Sep 2025 08:00:21 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: hugues.kambampiana@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0BAB62ED2; Tue, 16 Sep 2025 08:00:13 -0700 (PDT) Received: from LXKV206JHX.arm.com (unknown [10.57.80.132]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A63A73F694; Tue, 16 Sep 2025 08:00:20 -0700 (PDT) From: Hugues KAMBA MPIANA To: meta-arm@lists.yoctoproject.org Cc: Hugues KAMBA MPIANA Subject: [PATCH 3/4] arm-bsp/ts:corstone1000: Remove obsolete patches Date: Tue, 16 Sep 2025 16:00:12 +0100 Message-ID: <20250916150013.30666-4-hugues.kambampiana@arm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250916150013.30666-1-hugues.kambampiana@arm.com> References: <20250916150013.30666-1-hugues.kambampiana@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Sep 2025 15:00:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6713 The Corstone-1000 Trusted Services patches removed in this change are no longer required following the upgrade to Trusted Services v1.2.0. Signed-off-by: Hugues KAMBA MPIANA --- ...01-Fix-in-AEAD-for-psa-arch-test-254.patch | 129 ------ .../0002-Fix-psa-api-crypto-test-no-243.patch | 31 -- ...-sizes-compile-time-definitions-user.patch | 40 -- .../0006-Align-PSA-Crypto-with-TF-Mv2.1.patch | 298 ------------ .../0008-se-proxy-protobuf-change.patch | 71 --- ...-FWU-IPC-framework-for-Corstone-1000.patch | 436 ------------------ ...mage-state-in-PSA-FWU-M-update-agent.patch | 188 -------- ...fine-PSA-FWU-image-mapping-structure.patch | 128 ----- ...orm-corstone1000-Enable-ESRT-support.patch | 129 ------ ...n-PSA-Crypto-structs-with-TF-Mv2.1.1.patch | 29 -- 10 files changed, 1479 deletions(-) delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch deleted file mode 100644 index a2e72b79..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 74a07ccbb4eb573269672a0c1f61b9165a592b44 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Mon, 14 Feb 2022 08:22:25 +0000 -Subject: [PATCH 02/12] Fix in AEAD for psa-arch test 254 - -PSA crypto test 254 fails at checkpoint 6. -Fix output arguments in various crypto AEAD functions -to match crypto service implementation in TF-M. AEAD API's -in TF-M start expecting output size as an argument. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31176] -Signed-off-by: Emekcan Aras -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva -Signed-off-by: Harsimran Singh Tungal ---- - .../crypto/client/caller/packed-c/crypto_caller_aead.h | 1 + - components/service/crypto/include/psa/crypto_sizes.h | 2 +- - .../crypto/provider/extension/aead/aead_provider.c | 10 ++++++++-- - .../aead/serializer/aead_provider_serializer.h | 1 + - .../packed-c/packedc_aead_provider_serializer.c | 2 ++ - protocols/service/crypto/packed-c/aead.h | 1 + - 6 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -index 417189e87..236d3e258 100644 ---- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -@@ -314,6 +314,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont - size_t req_len = req_fixed_len; - - *output_length = 0; -+ req_msg.output_size = output_size; - req_msg.op_handle = op_handle; - - /* Mandatory input data parameter */ -diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 30aa102da..130d27295 100644 ---- a/components/service/crypto/include/psa/crypto_sizes.h -+++ b/components/service/crypto/include/psa/crypto_sizes.h -@@ -351,7 +351,7 @@ - * just the largest size that may be generated by - * #psa_aead_generate_nonce(). - */ --#define PSA_AEAD_NONCE_MAX_SIZE 12 -+#define PSA_AEAD_NONCE_MAX_SIZE 16 - - /** A sufficient output buffer size for psa_aead_update(). - * -diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c -index b73d88d32..510cffa34 100644 ---- a/components/service/crypto/provider/extension/aead/aead_provider.c -+++ b/components/service/crypto/provider/extension/aead/aead_provider.c -@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) - uint32_t op_handle; - const uint8_t *input; - size_t input_len; -+ uint32_t recv_output_size; - - if (serializer) - rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle, -- &input, &input_len); -+ &recv_output_size, &input, &input_len); - - if (rpc_status == RPC_SUCCESS) { - -@@ -300,9 +301,14 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) - if (crypto_context) { - - size_t output_len = 0; -- size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len); -+ size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24); -+ /* Always allocate maximum size to be more robust to implementations of psa_aead_update() */ - uint8_t *output = malloc(output_size); - -+ if (recv_output_size < output_size) { -+ output_size = recv_output_size; -+ } -+ - if (output) { - - psa_status = psa_aead_update(&crypto_context->op.aead, -diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -index be76d2bc6..590973048 100644 ---- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -+++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -@@ -51,6 +51,7 @@ struct aead_provider_serializer { - /* Operation: aead_update */ - rpc_status_t (*deserialize_aead_update_req)(const struct rpc_buffer *req_buf, - uint32_t *op_handle, -+ uint32_t *output_size, - const uint8_t **input, size_t *input_len); - - rpc_status_t (*serialize_aead_update_resp)(struct rpc_buffer *resp_buf, -diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -index 8f8c3c7f2..922a7b651 100644 ---- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -+++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct rpc_buffer *req_ - /* Operation: aead_update */ - static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf, - uint32_t *op_handle, -+ uint32_t *output_size, - const uint8_t **input, size_t *input_len) - { - rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY; -@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf - memcpy(&recv_msg, req_buf->data, expected_fixed_len); - - *op_handle = recv_msg.op_handle; -+ *output_size = recv_msg.output_size; - - tlv_const_iterator_begin(&req_iter, - (uint8_t*)req_buf->data + expected_fixed_len, -diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h -index 0be266b52..435fd3b52 100644 ---- a/protocols/service/crypto/packed-c/aead.h -+++ b/protocols/service/crypto/packed-c/aead.h -@@ -98,6 +98,7 @@ enum - struct __attribute__ ((__packed__)) ts_crypto_aead_update_in - { - uint32_t op_handle; -+ uint32_t output_size; - }; - - /* Variable length input parameter tags */ --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch deleted file mode 100644 index 9253d8ec..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c74d0d62fede8ef0207a909fb4157dbbb4830dc9 Mon Sep 17 00:00:00 2001 -From: Bence Balogh -Date: Wed, 10 Apr 2024 09:17:39 +0200 -Subject: [PATCH 04/12] Fix psa-api-crypto-test no 243 - -Enable MbedTLS ECP DP SECP521R1 ECC algorithm to pass -PSA-API tests's `psa-api-crypto-test` number 243 as it is -required for Corstone-1000. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31177/1] -Signed-off-by: Emekcan Aras -Signed-off-by: Harsimran Singh Tungal ---- - platform/providers/arm/corstone1000/platform.cmake | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index d39b79033..0c7c51b6e 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -14,6 +14,7 @@ target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 - PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=0x2080 - COMMS_MHU_MSG_SIZE=0x3500 -+ MBEDTLS_ECP_DP_SECP521R1_ENABLED - ) - - get_property(_platform_driver_dependencies TARGET ${TGT} --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch deleted file mode 100644 index 90dadc6c..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1c8b1d017cbdd26c9b75580936017eecd2b1f70c Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing -Date: Fri, 18 Oct 2024 12:08:21 +0000 -Subject: [PATCH 10/12] Make RSE and MHU sizes compile-time definitions - user-configurable - -Replace the hardcoded RSE and MHU compile definitions values with CMake -cache variables that users can configure to change the size of the RSE -communication payload and the MHU message. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31178/1] -Signed-off-by: Bence Balogh -Signed-off-by: Harsimran Singh Tungal ---- - platform/providers/arm/corstone1000/platform.cmake | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 0c7c51b6e..66a55ab85 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -9,11 +9,13 @@ - set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") - set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") - set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") -+set(PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSE_COMMS_PAYLOAD buffer") -+set(COMMS_MHU_MSG_SIZE 0x4500 CACHE STRING "Max message size that can be transfered via MHU") - - target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 -- PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=0x2080 -- COMMS_MHU_MSG_SIZE=0x3500 -+ PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} -+ COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} - MBEDTLS_ECP_DP_SECP521R1_ENABLED - ) - --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch deleted file mode 100644 index 906a27d2..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 111c15d7bf79e023bfb8bdcf631dfa95503f5f4e Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing -Date: Fri, 18 Oct 2024 11:40:29 +0000 -Subject: [PATCH 11/12] Align PSA Crypto with TF-Mv2.1 - -Update following files using the TF-Mv2.1 release (0c4c99b) commit. - -* crypto_sid.h -This is derived from TF-M's tfm_crypto_defs.h file. The crypto function -ID definitions were reworked. This change had to be done on the TS -side too to keep the compatibility. - -* crypto_ipc_backend.h -This file is also derived from the tfm_crypto_defs.h file. The -tfm_crypto_pack_iovec struct changed in TF-M so the -psa_ipc_crypto_pack_iovec struct had to be updated in TS to -keep the compatibility. - -* crypto_client_struct.h -The psa_client_key_attributes_s struct had to be aligned with the -psa_key_attributes_s struct in TF-M. (psa_crypto.c) - -Signed-off-by: Bence Balogh -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31179/1] ---- - .../service/common/include/psa/crypto_sid.h | 166 +++++------------- - .../backend/psa_ipc/crypto_ipc_backend.h | 9 +- - .../crypto/include/psa/crypto_client_struct.h | 4 +- - 3 files changed, 54 insertions(+), 125 deletions(-) - -diff --git a/components/service/common/include/psa/crypto_sid.h b/components/service/common/include/psa/crypto_sid.h -index 5b05f46d7..e1fbb15e2 100644 ---- a/components/service/common/include/psa/crypto_sid.h -+++ b/components/service/common/include/psa/crypto_sid.h -@@ -19,21 +19,23 @@ extern "C" { - * Asym sign, Asym encrypt, Key derivation). - */ - enum tfm_crypto_group_id { -- TFM_CRYPTO_GROUP_ID_RANDOM = 0x0, -- TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, -- TFM_CRYPTO_GROUP_ID_HASH, -- TFM_CRYPTO_GROUP_ID_MAC, -- TFM_CRYPTO_GROUP_ID_CIPHER, -- TFM_CRYPTO_GROUP_ID_AEAD, -- TFM_CRYPTO_GROUP_ID_ASYM_SIGN, -- TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT, -- TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, -+ TFM_CRYPTO_GROUP_ID_RANDOM = UINT8_C(1), -+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT = UINT8_C(2), -+ TFM_CRYPTO_GROUP_ID_HASH = UINT8_C(3), -+ TFM_CRYPTO_GROUP_ID_MAC = UINT8_C(4), -+ TFM_CRYPTO_GROUP_ID_CIPHER = UINT8_C(5), -+ TFM_CRYPTO_GROUP_ID_AEAD = UINT8_C(6), -+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN = UINT8_C(7), -+ TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT = UINT8_C(8), -+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION = UINT8_C(9) - }; - --/* X macro describing each of the available PSA Crypto APIs */ -+/* Set of X macros describing each of the available PSA Crypto APIs */ -+#define RANDOM_FUNCS \ -+ X(TFM_CRYPTO_GENERATE_RANDOM) -+ - #define KEY_MANAGEMENT_FUNCS \ - X(TFM_CRYPTO_GET_KEY_ATTRIBUTES) \ -- X(TFM_CRYPTO_RESET_KEY_ATTRIBUTES) \ - X(TFM_CRYPTO_OPEN_KEY) \ - X(TFM_CRYPTO_CLOSE_KEY) \ - X(TFM_CRYPTO_IMPORT_KEY) \ -@@ -89,13 +91,13 @@ enum tfm_crypto_group_id { - X(TFM_CRYPTO_AEAD_VERIFY) \ - X(TFM_CRYPTO_AEAD_ABORT) - --#define ASYMMETRIC_SIGN_FUNCS \ -+#define ASYM_SIGN_FUNCS \ - X(TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE) \ - X(TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE) \ - X(TFM_CRYPTO_ASYMMETRIC_SIGN_HASH) \ - X(TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH) - --#define AYSMMETRIC_ENCRYPT_FUNCS \ -+#define ASYM_ENCRYPT_FUNCS \ - X(TFM_CRYPTO_ASYMMETRIC_ENCRYPT) \ - X(TFM_CRYPTO_ASYMMETRIC_DECRYPT) - -@@ -106,133 +108,55 @@ enum tfm_crypto_group_id { - X(TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY) \ - X(TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES) \ - X(TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_INTEGER) \ - X(TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT) \ - X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES) \ - X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY) \ - X(TFM_CRYPTO_KEY_DERIVATION_ABORT) - --#define RANDOM_FUNCS \ -- X(TFM_CRYPTO_GENERATE_RANDOM) -- --/* -- * Define function IDs in each group. The function ID will be encoded into -- * tfm_crypto_func_sid below. -- * Each group is defined as a dedicated enum in case the total number of -- * PSA Crypto APIs exceeds 256. -- */ --#define X(func_id) func_id, --enum tfm_crypto_key_management_func_id { -- KEY_MANAGEMENT_FUNCS --}; --enum tfm_crypto_hash_func_id { -- HASH_FUNCS --}; --enum tfm_crypto_mac_func_id { -- MAC_FUNCS --}; --enum tfm_crypto_cipher_func_id { -- CIPHER_FUNCS --}; --enum tfm_crypto_aead_func_id { -- AEAD_FUNCS --}; --enum tfm_crypto_asym_sign_func_id { -- ASYMMETRIC_SIGN_FUNCS --}; --enum tfm_crypto_asym_encrypt_func_id { -- AYSMMETRIC_ENCRYPT_FUNCS --}; --enum tfm_crypto_key_derivation_func_id { -- KEY_DERIVATION_FUNCS --}; --enum tfm_crypto_random_func_id { -- RANDOM_FUNCS --}; --#undef X -- --#define FUNC_ID(func_id) (((func_id) & 0xFF) << 8) -+#define BASE__VALUE(x) ((uint16_t)((((uint16_t)(x)) << 8) & 0xFF00)) - --/* -- * Numerical progressive value identifying a function API exposed through -- * the interfaces (S or NS). It's used to dispatch the requests from S/NS -- * to the corresponding API implementation in the Crypto service backend. -+/** -+ * \brief This type defines numerical progressive values identifying a function API -+ * exposed through the interfaces (S or NS). It's used to dispatch the requests -+ * from S/NS to the corresponding API implementation in the Crypto service backend. -+ * -+ * \note Each function SID is encoded as uint16_t. -+ * +------------+------------+ -+ * | Group ID | Func ID | -+ * +------------+------------+ -+ * (MSB)15 8 7 0(LSB) - * -- * Each function SID is encoded as uint16_t. -- * | Func ID | Group ID | -- * 15 8 7 0 -- * Func ID is defined in each group func_id enum above -- * Group ID is defined in tfm_crypto_group_id. - */ --enum tfm_crypto_func_sid { -- --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT & 0xFF)), -- -+enum tfm_crypto_func_sid_t { -+#define X(FUNCTION_NAME) FUNCTION_NAME ## _SID, -+ BASE__RANDOM = BASE__VALUE(TFM_CRYPTO_GROUP_ID_RANDOM) - 1, -+ RANDOM_FUNCS -+ BASE__KEY_MANAGEMENT = BASE__VALUE(TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT) - 1, - KEY_MANAGEMENT_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_HASH & 0xFF)), -+ BASE__HASH = BASE__VALUE(TFM_CRYPTO_GROUP_ID_HASH) - 1, - HASH_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_MAC & 0xFF)), -+ BASE__MAC = BASE__VALUE(TFM_CRYPTO_GROUP_ID_MAC) - 1, - MAC_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_CIPHER & 0xFF)), -+ BASE__CIPHER = BASE__VALUE(TFM_CRYPTO_GROUP_ID_CIPHER) - 1, - CIPHER_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_AEAD & 0xFF)), -+ BASE__AEAD = BASE__VALUE(TFM_CRYPTO_GROUP_ID_AEAD) - 1, - AEAD_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_ASYM_SIGN & 0xFF)), -- ASYMMETRIC_SIGN_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT & 0xFF)), -- AYSMMETRIC_ENCRYPT_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_KEY_DERIVATION & 0xFF)), -+ BASE__ASYM_SIGN = BASE__VALUE(TFM_CRYPTO_GROUP_ID_ASYM_SIGN) - 1, -+ ASYM_SIGN_FUNCS -+ BASE__ASYM_ENCRYPT = BASE__VALUE(TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT) - 1, -+ ASYM_ENCRYPT_FUNCS -+ BASE__KEY_DERIVATION = BASE__VALUE(TFM_CRYPTO_GROUP_ID_KEY_DERIVATION) - 1, - KEY_DERIVATION_FUNCS -- - #undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_RANDOM & 0xFF)), -- RANDOM_FUNCS -- - }; --#undef X - - /** -- * \brief Define an invalid value for an SID -- * -+ * \brief This macro is used to extract the group_id from an encoded function id -+ * by accessing the upper 8 bits. A \a _function_id is uint16_t type - */ --#define TFM_CRYPTO_SID_INVALID (~0x0u) -- --/** -- * \brief This value is used to mark an handle as invalid. -- * -- */ --#define TFM_CRYPTO_INVALID_HANDLE (0x0u) -- --/** -- * \brief Define miscellaneous literal constants that are used in the service -- * -- */ --enum { -- TFM_CRYPTO_NOT_IN_USE = 0, -- TFM_CRYPTO_IN_USE = 1 --}; -+#define TFM_CRYPTO_GET_GROUP_ID(_function_id) \ -+ ((enum tfm_crypto_group_id_t)(((uint16_t)(_function_id) >> 8) & 0xFF)) - - #ifdef __cplusplus - } -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -index f9bbf84d6..27fe3496a 100644 ---- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -30,10 +30,9 @@ struct psa_ipc_crypto_aead_pack_input { - struct psa_ipc_crypto_pack_iovec { - psa_key_id_t key_id; /*!< Key id */ - psa_algorithm_t alg; /*!< Algorithm */ -- uint32_t op_handle; /*!< Frontend context handle associated to a -+ uint32_t op_handle; /*!< Client context handle associated to a - * multipart operation - */ -- uint32_t capacity; /*!< Key derivation capacity */ - uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ - uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ - -@@ -44,7 +43,11 @@ struct psa_ipc_crypto_pack_iovec { - * See tfm_crypto_func_sid for detail - */ - uint16_t step; /*!< Key derivation step */ --} __attribute__((__packed__)); -+ union { -+ size_t capacity; /*!< Key derivation capacity */ -+ uint64_t value; /*!< Key derivation integer for update*/ -+ }; -+}; - - #define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) - -diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h -index 1f68aba21..ebc400811 100644 ---- a/components/service/crypto/include/psa/crypto_client_struct.h -+++ b/components/service/crypto/include/psa/crypto_client_struct.h -@@ -34,9 +34,11 @@ struct psa_client_key_attributes_s - uint16_t type; - uint16_t bits; - uint32_t lifetime; -- psa_key_id_t id; - uint32_t usage; - uint32_t alg; -+ uint32_t alg2; -+ uint32_t id; -+ int32_t owner_id; - }; - - #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch deleted file mode 100644 index c7ac1614..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 77dbb98428b0661f0ceee54208d226fc7fb27130 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Sun, 1 Jun 2025 11:06:00 +0000 -Subject: [PATCH 02/11] se proxy protobuf change - -Upstream-Status: Pending (not yet submitted to upstream) -Signed-off-by: Emekcan Aras -Signed-off-by: Harsimran Singh Tungal ---- - .../se-proxy/env/commonsp/se_proxy_sp.c | 24 ++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -index 485d7649..9f94092b 100644 ---- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c -+++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -@@ -13,6 +13,7 @@ - #include "trace.h" - #include "deployments/se-proxy/infra/service_proxy_factory.h" - #include "deployments/se-proxy/se_proxy_interfaces.h" -+#include - - static bool sp_init(uint16_t *own_sp_id); - -@@ -25,6 +26,8 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - uint16_t own_id = 0; - sp_result result = SP_RESULT_INTERNAL_ERROR; - rpc_status_t rpc_status = RPC_ERROR_INTERNAL; -+ struct rpc_service_interface *crypto_iface_protobuf = NULL; -+ struct crypto_provider *crypto_protobuf_provider = NULL; - - /* Boot phase */ - if (!sp_init(&own_id)) { -@@ -39,7 +42,7 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - goto fatal_error; - } - -- rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 5, 16); -+ rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 6, 16); - if (rpc_status != RPC_SUCCESS) { - EMSG("Failed to initialize RPC endpoint: %d", rpc_status); - goto fatal_error; -@@ -106,6 +109,25 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - goto fatal_error; - } - -+ crypto_protobuf_provider = crypto_protobuf_provider_factory_create(); -+ if (!crypto_protobuf_provider) { -+ EMSG("Failed to create crypto protobuf provider factory"); -+ goto fatal_error; -+ } -+ -+ crypto_iface_protobuf = service_provider_get_rpc_interface( -+ &crypto_protobuf_provider->base_provider); -+ if (!crypto_iface_protobuf) { -+ EMSG("Failed to create service provider RPC interface"); -+ goto fatal_error; -+ } -+ -+ rpc_status = ts_rpc_endpoint_sp_add_service(&rpc_endpoint, crypto_iface_protobuf); -+ if (rpc_status != RPC_SUCCESS) { -+ EMSG("Failed to add service to RPC endpoint: %d", rpc_status); -+ goto fatal_error; -+ } -+ - /* End of boot phase */ - result = sp_msg_wait(&req_msg); - if (result != SP_RESULT_OK) { --- -2.34.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch deleted file mode 100644 index 4a80e6b3..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch +++ /dev/null @@ -1,436 +0,0 @@ -From f385ddacc8cc62842f7c9c91622d59959c41e718 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Thu, 28 Nov 2024 12:02:28 +0000 -Subject: [PATCH 04/11] Integrate PSA FWU IPC framework for Corstone-1000 - -Integrate IPC framework for PSA FWU calls between Cortex-A side and Cortex-M subsystems. - -IPC framework is required to bridge the PSA FWU calls for the platforms which have -both Cortex-A and Cortex-M subsystems. Corstone-1000 falls under this category of -platforms. In these platforms, the PSA FWU client and PSA FWU provider exist on -Cortex-A and all the PSA FWU services are implemented on Cortex-M side. This IPC -framework forwards the PSA FWU calls from Cortex-A to Cortex-M subsystem. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/33826] -Signed-off-by: Harsimran Singh Tungal ---- - components/service/common/include/psa/sid.h | 6 +- - .../interface/psa_ipc/component.cmake | 13 + - .../psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c | 253 ++++++++++++++++++ - .../psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h | 49 ++++ - .../se-proxy/infra/corstone1000/infra.cmake | 2 +- - .../corstone1000/service_proxy_factory.c | 16 ++ - 6 files changed, 337 insertions(+), 2 deletions(-) - create mode 100644 components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake - create mode 100644 components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c - create mode 100644 components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h - -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 5aaa659d..0235764d 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019-2023, Arm Limited. All rights reserved. -+ * Copyright (c) 2019-2024, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -58,6 +58,10 @@ extern "C" { - #define TFM_ATTEST_GET_TOKEN_SIZE 1002 - - /******** TFM_SP_FWU ********/ -+#define TFM_FIRMWARE_UPDATE_SERVICE_SID (0x000000A0U) -+#define TFM_FIRMWARE_UPDATE_SERVICE_VERSION (1U) -+#define TFM_FIRMWARE_UPDATE_SERVICE_HANDLE (0x40000104U) -+ - #define TFM_FWU_WRITE_SID (0x000000A0U) - #define TFM_FWU_WRITE_VERSION (1U) - #define TFM_FWU_INSTALL_SID (0x000000A1U) -diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake b/components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake -new file mode 100644 -index 00000000..cdc653a6 ---- /dev/null -+++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/psa_fwu_ipc.c" -+) -diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c -new file mode 100644 -index 00000000..a47ae539 ---- /dev/null -+++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c -@@ -0,0 +1,253 @@ -+/* -+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" -+#include "service/fwu/psa_fwu_m/interface/tfm_fwu_defs.h" -+#include "service/fwu/psa_fwu_m/interface/update.h" -+ -+/** -+ * @brief The singleton psa_fwu_ipc instance -+ * -+ * The psa attestation C API assumes a single backend service provider. -+ */ -+static struct service_client instance; -+ -+psa_status_t psa_fwu_ipc_init(struct rpc_caller_session *session) -+{ -+ return service_client_init(&instance, session); -+} -+ -+void psa_fwu_ipc_deinit(void) -+{ -+ service_client_deinit(&instance); -+} -+ -+int psa_fwu_rpc_status(void) -+{ -+ return instance.rpc_status; -+} -+ -+psa_status_t psa_fwu_query(psa_fwu_component_t component, -+ psa_fwu_component_info_t *info) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ if (!info) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(info), .len = sizeof(*info) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_QUERY, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_start(psa_fwu_component_t component, -+ const void *manifest, -+ size_t manifest_size) -+{ -+ if(manifest_size > UINT32_MAX) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ { .base = psa_ptr_const_to_u32(manifest), .len = manifest_size }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_START, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_write(psa_fwu_component_t component, -+ size_t image_offset, -+ const void *block, -+ size_t block_size) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ if (!block || !block_size) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ if((image_offset > UINT32_MAX) || (block_size > UINT32_MAX)) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ { .base = psa_ptr_to_u32(&image_offset), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_const_to_u32(block), .len = block_size }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_WRITE, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_finish(psa_fwu_component_t component) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_FINISH, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_cancel(psa_fwu_component_t component) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_CANCEL, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_clean(psa_fwu_component_t component) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_CLEAN, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_install(void) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = {}; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_INSTALL, in_vec, 0, -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_request_reboot(void) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = {}; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_REQUEST_REBOOT, in_vec, 0, -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_reject(psa_status_t error) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&error), .len = sizeof(error) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_REJECT, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_accept(void) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = {}; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_ACCEPT, in_vec, 0, -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h -new file mode 100644 -index 00000000..867a1c9c ---- /dev/null -+++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h -@@ -0,0 +1,49 @@ -+/* -+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_FWU_IPC_H -+#define PSA_FWU_IPC_H -+ -+#include -+#include "rpc_caller_session.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * @brief Initialize a PSA FWU ipc client -+ * -+ * A PSA FWU ipc client makes RPC calls to a remote FWU service. -+ * -+ * @param[in] rpc_caller RPC caller instance -+ * -+ * @return A status indicating the success/failure of the operation -+ */ -+psa_status_t psa_fwu_ipc_init(struct rpc_caller_session *session); -+ -+/** -+ * @brief Deinitialize a PSA FWU ipc client -+ * -+ */ -+void psa_fwu_ipc_deinit(void); -+ -+/** -+ * @brief Return the most recent RPC status -+ * -+ * May be used to obtain information about an RPC error that resulted -+ * in an API operation failure -+ * -+ * @return Most recent RPC operation status -+ */ -+int psa_fwu_rpc_status(void); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_FWU_IPC_H */ -+ -diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake -index 3830f9d6..2bf6b36e 100644 ---- a/deployments/se-proxy/infra/corstone1000/infra.cmake -+++ b/deployments/se-proxy/infra/corstone1000/infra.cmake -@@ -26,7 +26,7 @@ add_components(TARGET "se-proxy" - "components/service/fwu/provider" - "components/service/fwu/provider/serializer" - "components/service/fwu/psa_fwu_m/agent" -- "components/service/fwu/psa_fwu_m/interface/stub" -+ "components/service/fwu/psa_fwu_m/interface/psa_ipc" - "components/service/secure_storage/backend/secure_storage_ipc" - ) - -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index 759983b4..547e84bc 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -14,6 +14,7 @@ - #include - #include "service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h" - #include "service/fwu/provider/fwu_provider.h" -+#include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" - #include - #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" - #include -@@ -134,10 +135,25 @@ struct rpc_service_interface *its_proxy_create(void) - - struct rpc_service_interface *fwu_proxy_create(void) - { -+ rpc_status_t rpc_status = RPC_ERROR_INTERNAL; - static struct update_agent *agent; - static struct fwu_provider fwu_provider = { 0 }; - -+ /* Static objects for proxy instance */ -+ static struct rpc_caller_interface rss_comms = { 0 }; -+ static struct rpc_caller_session rpc_session = { 0 }; -+ -+ rpc_status = rss_comms_caller_init(&rss_comms); -+ if (rpc_status != RPC_SUCCESS) -+ return NULL; -+ -+ rpc_status = rpc_caller_session_open(&rpc_session, &rss_comms, &dummy_uuid, 0, 0); -+ if (rpc_status != RPC_SUCCESS) -+ return NULL; -+ - agent = psa_fwu_m_update_agent_init(NULL, 0, 4096); -+ if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) -+ return NULL; - - return fwu_provider_init(&fwu_provider, agent); - } --- -2.34.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch deleted file mode 100644 index 2f43369f..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 6fb3bead9e0eea3640ad1209347691c2b40512a2 Mon Sep 17 00:00:00 2001 -From: Imre Kis -Date: Wed, 5 Feb 2025 14:27:45 +0100 -Subject: [PATCH 2/8] Load initial image state in PSA FWU M update agent - -Set initial image state based on the image state returned by -psa_fwu_query. This way the update agent has the correct view of images -after reboot and it can accept or reject them. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/35155] -Signed-off-by: Imre Kis -Change-Id: I150e4fdb4584c8d07f5f1f642ee88197f9cff49b -Signed-off-by: Harsimran Singh Tungal ---- - .../psa_fwu_m/agent/psa_fwu_m_update_agent.c | 23 +++++++-- - .../test/test_psa_fwu_m_update_agent.cpp | 49 ++++++++++++++++++- - docs/services/fwu/psa-fwu-m.rst | 14 +++++- - 3 files changed, 80 insertions(+), 6 deletions(-) - -diff --git a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -index 6de9ba71..48b86f6e 100644 ---- a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -+++ b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2024, Arm Limited. All rights reserved. -+ * Copyright (c) 2024-2025, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -609,8 +609,11 @@ struct update_agent *psa_fwu_m_update_agent_init( - const struct psa_fwu_m_image_mapping image_mapping[], size_t image_count, - uint32_t max_payload_size) - { -+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR; - struct psa_fwu_m_update_agent *context = NULL; -+ struct psa_fwu_component_info_t info = { 0 }; - struct psa_fwu_m_image *images = NULL; -+ enum psa_fwu_m_state state = regular; - struct update_agent *agent = NULL; - size_t i = 0; - -@@ -637,9 +640,23 @@ struct update_agent *psa_fwu_m_update_agent_init( - } - - for (i = 0; i < image_count; i++) { -+ psa_status = psa_fwu_query(image_mapping[i].component, &info); -+ if (psa_status != PSA_SUCCESS) { -+ free(images); -+ free(context); -+ free(agent); -+ return NULL; -+ } -+ - images[i].uuid = image_mapping[i].uuid; - images[i].component = image_mapping[i].component; -- images[i].selected_for_staging = false; -+ if (info.state == PSA_FWU_TRIAL) { -+ images[i].selected_for_staging = true; -+ state = trial; -+ } else { -+ images[i].selected_for_staging = false; -+ } -+ - images[i].read = NULL; /* Cannot read images */ - images[i].write = image_write; - } -@@ -654,7 +671,7 @@ struct update_agent *psa_fwu_m_update_agent_init( - context->images = images; - context->image_count = image_count + 1; - context->max_payload_size = max_payload_size; -- context->state = regular; -+ context->state = state; - - agent->context = context; - agent->interface = &interface; -diff --git a/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp b/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp -index de289fff..3805d182 100644 ---- a/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp -+++ b/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2024, Arm Limited. All rights reserved. -+ * Copyright (c) 2024-2025, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -14,6 +14,9 @@ - - TEST_GROUP(psa_fwu_m_update_agent) { - TEST_SETUP() { -+ psa_fwu_component_info_t info = {0}; -+ expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_SUCCESS); -+ expect_mock_psa_fwu_query(mapping[1].component, &info, PSA_SUCCESS); - agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); - handle = 0; - progress = 0; -@@ -667,4 +670,46 @@ TEST(psa_fwu_m_update_agent, select_previous) - - expect_mock_psa_fwu_reject(0, PSA_SUCCESS); - LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_select_previous(agent)); --} -\ No newline at end of file -+} -+ -+TEST(psa_fwu_m_update_agent, boot_in_trial_mode_query_fail) { -+ psa_fwu_component_info_t info = {0}; -+ -+ expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_ERROR_GENERIC_ERROR); -+ POINTERS_EQUAL(NULL, psa_fwu_m_update_agent_init(mapping, 2, 4096)); -+} -+ -+TEST(psa_fwu_m_update_agent, boot_in_trial_mode_select_previous) { -+ psa_fwu_component_info_t info0 = {0}; -+ psa_fwu_component_info_t info1 = {0}; -+ -+ info1.state = PSA_FWU_TRIAL; -+ -+ expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); -+ expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); -+ -+ update_agent *agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); -+ -+ expect_mock_psa_fwu_reject(0, PSA_SUCCESS); -+ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_select_previous(agent)); -+ -+ psa_fwu_m_update_agent_deinit(agent); -+} -+ -+TEST(psa_fwu_m_update_agent, boot_in_trial_mode_accept) { -+ psa_fwu_component_info_t info0 = {0}; -+ psa_fwu_component_info_t info1 = {0}; -+ -+ info1.state = PSA_FWU_TRIAL; -+ -+ expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); -+ expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); -+ -+ update_agent *agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); -+ -+ expect_mock_psa_fwu_accept(PSA_SUCCESS); -+ LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_accept_image(agent, &mapping[0].uuid)); -+ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[1].uuid)); -+ -+ psa_fwu_m_update_agent_deinit(agent); -+} -diff --git a/docs/services/fwu/psa-fwu-m.rst b/docs/services/fwu/psa-fwu-m.rst -index 26ffed09..1358015f 100644 ---- a/docs/services/fwu/psa-fwu-m.rst -+++ b/docs/services/fwu/psa-fwu-m.rst -@@ -44,6 +44,11 @@ The solutions to these differences: - * Convert the image query result returned by FWU-M to FWU-A format. There are similar field, but this imposes some - limitations. - -+Initialization -+``````````````` -+ -+The initial image and agent state is determined based on the image state returned by ``psa_fwu_query()``. -+ - - ``fwu_discover()`` - `````````````````` -@@ -71,6 +76,10 @@ agent switches to trial state, so the client can validate the new set of images - - On calling ``fwu_end_staging()`` the agent calls ``psa_fwu_finish()`` on each selected image, then calls - ``psa_fwu_install()``. If all images have been accepted (see ``fwu_commit()``) it also calls ``psa_fwu_accept()``. -+The implementation treats ``PSA_SUCCESS_REBOOT`` and ``PSA_SUCCESS_RESTART`` status values as error. In an A+M system the M -+class side shouldn't restart the system, so calling ``psa_fwu_request_reboot()`` does not fit the system. There's also no -+PSA FWU A return code for inidicating the restart request to the normal world. If the normal world has to restart the -+system after ending the staging phase, it has to do it in an implementation defined way. - - .. uml:: ../uml/psa_fwu_m_update_agent/fwu_end_staging.puml - -@@ -136,7 +145,10 @@ calls ``psa_fwu_accept()`` when all images have been accepted. This results in a - ````````````````````````` - - Selects previous working state (i.e. rejects the firmware update) and transitions back to regular state after calling --``psa_fwu_reject()``. -+``psa_fwu_reject()``. The implementation treats ``PSA_SUCCESS_REBOOT`` and ``PSA_SUCCESS_RESTART`` status values as error. -+In an A+M system the M class side shouldn't restart the system, so calling ``psa_fwu_request_reboot()`` does not fit the -+system. There's also no PSA FWU A return code for inidicating the restart request to the normal world. If the normal -+world has to restart the system when rejecting the installed firmware, it has to do it in an implementation defined way. - - .. uml:: ../uml/psa_fwu_m_update_agent/fwu_select_previous.puml - --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch deleted file mode 100644 index 17b1f87e..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 5344d7d0580ca7f2f2569f388dd6e3cd17a372f2 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Thu, 6 Feb 2025 10:26:04 +0000 -Subject: [PATCH 3/8] Corstone1000: Define PSA FWU image mapping structure - -This commit involves following changes - -1. Define PSA FWU image mapping structure for Corstone-1000. -This structure is responsible to map specific image guid with -component number. -To enable platform-specific handling, service_proxy_factory.c now -conditionally selects the appropriate image mapping -based on PLATFORM_IS_FVP. This ensures that both FVP and MPS3 -platforms use the correct GUID and firmware update configuration. - -2. Rename RSS to RSE - -Upstream-Status: Pending -Signed-off-by: Harsimran Singh Tungal -Signed-off-by: Ali Can Ozaslan ---- - .../infra/corstone1000/corstone1000_config.h | 28 +++++++++++++++++++ - .../corstone1000/service_proxy_factory.c | 25 +++++++++++++---- - 2 files changed, 48 insertions(+), 5 deletions(-) - create mode 100644 deployments/se-proxy/infra/corstone1000/corstone1000_config.h - -diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -new file mode 100644 -index 00000000..319401f3 ---- /dev/null -+++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -@@ -0,0 +1,28 @@ -+/* -+ * Copyright (c) 2025, Arm Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ * -+ */ -+ -+#ifndef CORSTONE1000_CONFIG_H -+#define CORSTONE1000_CONFIG_H -+ -+#define FWU_IMAGE_COUNT 1 -+ -+/* Maximum payload size to be transferred at once to Secure Enclave */ -+#define MAX_PAYLOAD_SIZE 4096 -+ -+#define CORSTONE1000_FVP_FULL_CAPSULE_UUID \ -+{ 0x4e, 0x3a, 0x9f, 0x98, 0xe0, 0x46, 0xd0, 0x4c, 0x98, 0x77, 0xa2, 0x5c, 0x70, 0xc0, 0x13, 0x29, } -+ -+#define CORSTONE1000_MPS3_FULL_CAPSULE_UUID \ -+{ 0xd1, 0x65, 0x18, 0xdf, 0xfb, 0x90, 0x59, 0x4d, 0x9c, 0x38, 0xc9, 0xf2, 0xc1, 0xbb, 0xa8, 0xcc, } -+ -+/* Image indexes in the UEFI capsule */ -+enum fwu_image_index -+{ -+ FWU_IMAGE_INDEX_FULL_CAPSULE = 1, -+}; -+ -+#endif /* CORSTONE1000_CONFIG_H */ -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index ef91efe0..6e5f1221 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021-2025, Arm Limited and Contributors. All rights reserved. - * Copyright (c) 2021-2023, Linaro Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause -@@ -19,6 +19,7 @@ - #include - #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" - #include -+#include "corstone1000_config.h" - - /* backends */ - #include -@@ -27,6 +28,20 @@ - - static const struct rpc_uuid dummy_uuid = { 0 }; - -+static const struct psa_fwu_m_image_mapping img_mapping[FWU_IMAGE_COUNT] = { -+#if PLATFORM_IS_FVP -+ { -+ .uuid = CORSTONE1000_FVP_FULL_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_FULL_CAPSULE -+ }, -+#else -+ { -+ .uuid = CORSTONE1000_MPS3_FULL_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_FULL_CAPSULE -+ }, -+#endif -+}; -+ - struct rpc_service_interface *attest_proxy_create(void) - { - struct rpc_service_interface *attest_iface = NULL; -@@ -141,20 +156,20 @@ struct rpc_service_interface *fwu_proxy_create(void) - static struct fwu_provider fwu_provider = { 0 }; - - /* Static objects for proxy instance */ -- static struct rpc_caller_interface rss_comms = { 0 }; -+ static struct rpc_caller_interface rse_comms = { 0 }; - static struct rpc_caller_session rpc_session = { 0 }; - -- rpc_status = rss_comms_caller_init(&rss_comms); -+ rpc_status = rse_comms_caller_init(&rse_comms); - if (rpc_status != RPC_SUCCESS) - return NULL; - -- rpc_status = rpc_caller_session_open(&rpc_session, &rss_comms, &dummy_uuid, 0, 0); -+ rpc_status = rpc_caller_session_open(&rpc_session, &rse_comms, &dummy_uuid, 0, 0); - if (rpc_status != RPC_SUCCESS) - return NULL; - -- agent = psa_fwu_m_update_agent_init(NULL, 0, 4096); - if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) - return NULL; -+ agent = psa_fwu_m_update_agent_init(img_mapping, FWU_IMAGE_COUNT, MAX_PAYLOAD_SIZE); - - return fwu_provider_init(&fwu_provider, agent); - } --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch deleted file mode 100644 index 18581440..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 27d3ce79128478cd163a2db113326c873bda8d08 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Fri, 28 Feb 2025 21:12:56 +0000 -Subject: [PATCH 6/8] platform: corstone1000: Enable ESRT support - -Enable ESRT support for Corstone-1000. -Introduce ESRT image UUID and its component number and -set TFM_FWU_MAX_DIGEST_SIZE to ESRT data size. - -Upstream-Status: Pending -Signed-off-by: Harsimran Singh Tungal ---- - .../infra/corstone1000/corstone1000_config.h | 3 +-- - .../corstone1000/service_proxy_factory.c | 22 +++++++++++++++++-- - .../providers/arm/corstone1000/platform.cmake | 9 ++++++++ - 3 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -index 319401f3..4a68c2fa 100644 ---- a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -+++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -@@ -8,8 +8,6 @@ - #ifndef CORSTONE1000_CONFIG_H - #define CORSTONE1000_CONFIG_H - --#define FWU_IMAGE_COUNT 1 -- - /* Maximum payload size to be transferred at once to Secure Enclave */ - #define MAX_PAYLOAD_SIZE 4096 - -@@ -23,6 +21,7 @@ - enum fwu_image_index - { - FWU_IMAGE_INDEX_FULL_CAPSULE = 1, -+ FWU_IMAGE_INDEX_ESRT, - }; - - #endif /* CORSTONE1000_CONFIG_H */ -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index 6e5f1221..f0a4853e 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -18,6 +18,7 @@ - #include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" - #include - #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" -+#include - #include - #include "corstone1000_config.h" - -@@ -26,9 +27,17 @@ - #include - #include - -+/* IMAGE_MAPPING_ELEMENT_COUNT includes the number of images to be updated and ESRT image */ -+#define IMAGE_MAPPING_ELEMENT_COUNT (FWU_IMAGE_CAPSULE_COUNT + 1) -+ -+/* The index to access the ESRT image in the psa_fwu_m_image_mapping structure -+ * collection. The ESRT image is always accessed at the end of the collection. -+ */ -+#define IMAGE_MAPPING_ESRT_INDEX (IMAGE_MAPPING_ELEMENT_COUNT - 1) -+ - static const struct rpc_uuid dummy_uuid = { 0 }; - --static const struct psa_fwu_m_image_mapping img_mapping[FWU_IMAGE_COUNT] = { -+static struct psa_fwu_m_image_mapping img_mapping[IMAGE_MAPPING_ELEMENT_COUNT] = { - #if PLATFORM_IS_FVP - { - .uuid = CORSTONE1000_FVP_FULL_CAPSULE_UUID, -@@ -42,6 +51,13 @@ static const struct psa_fwu_m_image_mapping img_mapping[FWU_IMAGE_COUNT] = { - #endif - }; - -+/* Every platform needs to define esrt image mapping, if ESRT image UUID is to be used to extract ESRT data */ -+static void define_esrt_image_mapping() -+{ -+ uuid_octets_from_canonical(&img_mapping[IMAGE_MAPPING_ESRT_INDEX].uuid, EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); -+ img_mapping[IMAGE_MAPPING_ESRT_INDEX].component = FWU_IMAGE_INDEX_ESRT; -+} -+ - struct rpc_service_interface *attest_proxy_create(void) - { - struct rpc_service_interface *attest_iface = NULL; -@@ -169,7 +185,9 @@ struct rpc_service_interface *fwu_proxy_create(void) - - if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) - return NULL; -- agent = psa_fwu_m_update_agent_init(img_mapping, FWU_IMAGE_COUNT, MAX_PAYLOAD_SIZE); -+ -+ define_esrt_image_mapping(); -+ agent = psa_fwu_m_update_agent_init(img_mapping, IMAGE_MAPPING_ELEMENT_COUNT, MAX_PAYLOAD_SIZE); - - return fwu_provider_init(&fwu_provider, agent); - } -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 60bc208b..db1e9743 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -6,11 +6,18 @@ - # Platform definition for the Corstone-1000 platform. - #------------------------------------------------------------------------------- - -+# For ESRT v1 details : https://uefi.org/specs/UEFI/2.9_A/23_Firmware_Update_and_Reporting.html#efi-system-resource-table -+set(FWU_IMAGE_CAPSULE_COUNT 4 CACHE STRING "Maximum number of FWU Images in a capsule to be updated") -+set(ESRT_IMAGE_ENTRY_SIZE 40 CACHE STRING "Size of one ESRT v1 Image entry structure object") -+set(ESRT_REMAINING_FIELDS_SIZE 16 CACHE STRING "Size of remaining fields of ESRT v1 table structure") -+math(EXPR TOTAL_ESRT_SIZE "${FWU_IMAGE_CAPSULE_COUNT} * ${ESRT_IMAGE_ENTRY_SIZE} + ${ESRT_REMAINING_FIELDS_SIZE}" OUTPUT_FORMAT DECIMAL) -+ - set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") - set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") - set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") - set(PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSE_COMMS_PAYLOAD buffer") - set(COMMS_MHU_MSG_SIZE 0x4500 CACHE STRING "Max message size that can be transfered via MHU") -+set(TFM_FWU_MAX_DIGEST_SIZE ${TOTAL_ESRT_SIZE} CACHE STRING "Maximum size of ESRT entries of all the images in a bank") - - target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 -@@ -18,6 +25,8 @@ target_compile_definitions(${TGT} PRIVATE - COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} - MBEDTLS_ECP_DP_SECP521R1_ENABLED - PLATFORM_IS_FVP=${PLATFORM_IS_FVP} -+ TFM_FWU_MAX_DIGEST_SIZE=${TFM_FWU_MAX_DIGEST_SIZE} -+ FWU_IMAGE_CAPSULE_COUNT=${FWU_IMAGE_CAPSULE_COUNT} - ) - - get_property(_platform_driver_dependencies TARGET ${TGT} --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch deleted file mode 100644 index 238037cd..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 71da6c0384fb241cadf052968e8dce9c357e4a33 Mon Sep 17 00:00:00 2001 -From: Ali Can Ozaslan -Date: Tue, 29 Apr 2025 07:52:14 +0000 -Subject: [PATCH] Align PSA Crypto structs with TF-Mv2.1.1 - -The psa_client_key_attributes_s struct had to be aligned with the -psa_key_attributes_s struct in TF-M. - -Signed-off-by: Ali Can Ozaslan -Upstream-Status: Backport [Included in version v1.2.0] ---- - components/service/crypto/include/psa/crypto_client_struct.h | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h -index ebc4008..f0c8cad 100644 ---- a/components/service/crypto/include/psa/crypto_client_struct.h -+++ b/components/service/crypto/include/psa/crypto_client_struct.h -@@ -38,7 +38,6 @@ struct psa_client_key_attributes_s - uint32_t alg; - uint32_t alg2; - uint32_t id; -- int32_t owner_id; - }; - - #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} --- -2.34.1 - From patchwork Tue Sep 16 15:00:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugues KAMBA MPIANA X-Patchwork-Id: 70360 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A557ECAC59E for ; Tue, 16 Sep 2025 15:00:26 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.641.1758034822578668685 for ; Tue, 16 Sep 2025 08:00:22 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: hugues.kambampiana@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EDE6EFEC; Tue, 16 Sep 2025 08:00:13 -0700 (PDT) Received: from LXKV206JHX.arm.com (unknown [10.57.80.132]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 987403F694; Tue, 16 Sep 2025 08:00:21 -0700 (PDT) From: Hugues KAMBA MPIANA To: meta-arm@lists.yoctoproject.org Cc: Hugues KAMBA MPIANA Subject: [PATCH 4/4] arm-bsp/ts:corstone1000: Rename patches Date: Tue, 16 Sep 2025 16:00:13 +0100 Message-ID: <20250916150013.30666-5-hugues.kambampiana@arm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250916150013.30666-1-hugues.kambampiana@arm.com> References: <20250916150013.30666-1-hugues.kambampiana@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Sep 2025 15:00:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6714 Rename the Corstone-1000 Trusted Services patches so that their numbering matches the application order, and the remainder of each patch name matches its corresponding commit message subject. Signed-off-by: Hugues KAMBA MPIANA --- ...1000-Add-CORSTONE_1000_TYPE-variabl.patch} | 2 +- ...1000-Add-event-provider-proxy-for-b.patch} | 2 +- ...w-platform-override-of-FWU-mapping-.patch} | 2 +- ...CCESS_REBOOT-and-PSA_SUCCESS_RESTAR.patch} | 2 +- ...1000-Add-MM-communication-buffer-co.patch} | 0 ...port-for-ESRT-v1-in-PSA-FWU-M-agent.patch} | 2 +- ...ing-warnings-as-errors-configurable.patch} | 2 +- ...config-Remove-Werror-compile-option.patch} | 2 +- ...09-fwu-proxy-refactor-image-mapping.patch} | 2 +- ...store-UEFI-variable-index-in-chunks.patch} | 0 ..._HAS_ATTEST_PK-define-from-IAT-test.patch} | 0 ...rypto-fix-AEAD-block-cypher-support.patch} | 2 +- .../trusted-services/ts-arm-platforms.inc | 24 +++++++++---------- 13 files changed, 21 insertions(+), 21 deletions(-) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch => 0001-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch} (97%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0016-platform-corstone1000-Add-event-provider-proxy.patch => 0002-platform-corstone1000-Add-event-provider-proxy-for-b.patch} (99%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0017-platform-corstone1000-Define-GUID-for-each-payloads.patch => 0003-fwu-se-proxy-Allow-platform-override-of-FWU-mapping-.patch} (99%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch => 0004-fwu-Coerce-PSA_SUCCESS_REBOOT-and-PSA_SUCCESS_RESTAR.patch} (97%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0018-Add-the-com-buffer-address-and-page-count.patch => 0005-platform-corstone1000-Add-MM-communication-buffer-co.patch} (100%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0014-fwu-Add-EFI-ESRT-v1-support.patch => 0006-fwu-Add-support-for-ESRT-v1-in-PSA-FWU-M-agent.patch} (99%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0022-Make-treating-warnings-as-errors-configurable.patch => 0007-Make-treating-warnings-as-errors-configurable.patch} (99%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0003-Remove-Werror-flag.patch => 0008-smm-gateway-config-Remove-Werror-compile-option.patch} (95%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0007-fwu-proxy-refactor-image-mapping.patch => 0009-fwu-proxy-refactor-image-mapping.patch} (99%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch => 0010-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch} (100%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch => 0011-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch} (100%) rename meta-arm-bsp/recipes-security/trusted-services/corstone1000/{0024-psa-crypto-fix-AEAD-block-cypher-support.patch => 0012-psa-crypto-fix-AEAD-block-cypher-support.patch} (97%) diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch similarity index 97% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch index 47fab7a1..18b6d7be 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch @@ -1,7 +1,7 @@ From 2cd4db9828f244de77e402ad31c52d9c4ba3c600 Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA Date: Tue, 5 Aug 2025 14:05:49 +0100 -Subject: [PATCH 1/7] platform: corstone1000: Add CORSTONE_1000_TYPE variable +Subject: [PATCH] platform: corstone1000: Add CORSTONE_1000_TYPE variable for platform selection This change introduces a CORSTONE_1000_TYPE variable in both CMake diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-platform-corstone1000-Add-event-provider-proxy-for-b.patch similarity index 99% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-platform-corstone1000-Add-event-provider-proxy-for-b.patch index 86868071..c5f2a0b9 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-platform-corstone1000-Add-event-provider-proxy.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-platform-corstone1000-Add-event-provider-proxy-for-b.patch @@ -1,7 +1,7 @@ From 6a4cedce9d433bc42a71ac77c3cd90dde4242951 Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA Date: Tue, 5 Aug 2025 15:22:44 +0100 -Subject: [PATCH 2/7] platform: corstone1000: Add event provider proxy for boot +Subject: [PATCH] platform: corstone1000: Add event provider proxy for boot confirmation handling This patch introduces an event forwarding framework to support diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-fwu-se-proxy-Allow-platform-override-of-FWU-mapping-.patch similarity index 99% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-fwu-se-proxy-Allow-platform-override-of-FWU-mapping-.patch index 8d13cedf..2a0e398a 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-platform-corstone1000-Define-GUID-for-each-payloads.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-fwu-se-proxy-Allow-platform-override-of-FWU-mapping-.patch @@ -1,7 +1,7 @@ From a518c74b7ce050bba2d0aaece701086dc50ffa53 Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA Date: Tue, 5 Aug 2025 13:54:13 +0100 -Subject: [PATCH 3/7] fwu:se-proxy: Allow platform override of FWU mapping and +Subject: [PATCH] fwu:se-proxy: Allow platform override of FWU mapping and payload size Allow platform override of FWU mapping and payload size diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-fwu-Coerce-PSA_SUCCESS_REBOOT-and-PSA_SUCCESS_RESTAR.patch similarity index 97% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-fwu-Coerce-PSA_SUCCESS_REBOOT-and-PSA_SUCCESS_RESTAR.patch index 4ef78eb3..c171a70b 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-fwu-Coerce-PSA_SUCCESS_REBOOT-and-PSA_SUCCESS_RESTAR.patch @@ -1,7 +1,7 @@ From 8b8eb4a2d512de06d3ee8a17dd9295cd38efd68d Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA Date: Tue, 5 Aug 2025 14:42:17 +0100 -Subject: [PATCH 4/7] fwu: Coerce PSA_SUCCESS_REBOOT and PSA_SUCCESS_RESTART to +Subject: [PATCH] fwu: Coerce PSA_SUCCESS_REBOOT and PSA_SUCCESS_RESTART to PSA_SUCCESS Map `PSA_SUCCESS_REBOOT` and `PSA_SUCCESS_RESTART` (returned by diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Add-the-com-buffer-address-and-page-count.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-platform-corstone1000-Add-MM-communication-buffer-co.patch similarity index 100% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Add-the-com-buffer-address-and-page-count.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-platform-corstone1000-Add-MM-communication-buffer-co.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-fwu-Add-support-for-ESRT-v1-in-PSA-FWU-M-agent.patch similarity index 99% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-fwu-Add-support-for-ESRT-v1-in-PSA-FWU-M-agent.patch index c10a88a8..61ae510d 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-fwu-Add-EFI-ESRT-v1-support.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-fwu-Add-support-for-ESRT-v1-in-PSA-FWU-M-agent.patch @@ -1,7 +1,7 @@ From d5ca8c5b73c3ff3bc5c137828932e440c6a7f187 Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA Date: Tue, 5 Aug 2025 15:05:33 +0100 -Subject: [PATCH 5/7] fwu: Add support for ESRT v1 in PSA FWU-M agent +Subject: [PATCH] fwu: Add support for ESRT v1 in PSA FWU-M agent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Make-treating-warnings-as-errors-configurable.patch similarity index 99% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Make-treating-warnings-as-errors-configurable.patch index d79e9e99..75742285 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0022-Make-treating-warnings-as-errors-configurable.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Make-treating-warnings-as-errors-configurable.patch @@ -1,7 +1,7 @@ From 44e56b28f6a5ea9caab0bcccce3d02c59bb5d0ce Mon Sep 17 00:00:00 2001 From: Gyorgy Szing Date: Tue, 19 Aug 2025 11:07:39 +0200 -Subject: [PATCH 1/8] Make treating warnings as errors configurable +Subject: [PATCH] Make treating warnings as errors configurable Introduce the CMAKE_COMPILE_WARNING_AS_ERROR build option to control whether the project treats compiler warnings as errors. This option is diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-smm-gateway-config-Remove-Werror-compile-option.patch similarity index 95% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-smm-gateway-config-Remove-Werror-compile-option.patch index 7d4f17e6..427f99c9 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-Remove-Werror-flag.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-smm-gateway-config-Remove-Werror-compile-option.patch @@ -1,7 +1,7 @@ From c50ad182f8375eacb315b894229eec7f4cad1b30 Mon Sep 17 00:00:00 2001 From: Hugues KAMBA MPIANA Date: Fri, 18 Oct 2024 11:50:32 +0000 -Subject: [PATCH 6/7] smm-gateway/config: Remove `Werror` compile option +Subject: [PATCH] smm-gateway/config: Remove `Werror` compile option Adding `-Werror` to CMakeLists.txt unintended when originally committed. diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-fwu-proxy-refactor-image-mapping.patch similarity index 99% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-fwu-proxy-refactor-image-mapping.patch index 591ff58f..4db64306 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-fwu-proxy-refactor-image-mapping.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-fwu-proxy-refactor-image-mapping.patch @@ -1,7 +1,7 @@ From ca3870a123f3449407d460dcbc6bc0ba0d135e1e Mon Sep 17 00:00:00 2001 From: Gyorgy Szing Date: Tue, 26 Aug 2025 15:01:44 +0200 -Subject: [PATCH 7/7] fwu-proxy: refactor image mapping +Subject: [PATCH] fwu-proxy: refactor image mapping Stop defining the size of the image mapping and the number of mappings at different places (C code vs cmake). Move the number of images to the diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch similarity index 100% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch similarity index 100% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-psa-crypto-fix-AEAD-block-cypher-support.patch similarity index 97% rename from meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch rename to meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-psa-crypto-fix-AEAD-block-cypher-support.patch index ee016245..69f85ede 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0024-psa-crypto-fix-AEAD-block-cypher-support.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-psa-crypto-fix-AEAD-block-cypher-support.patch @@ -1,7 +1,7 @@ From 85c8535f448466cdbd773f7072a42203ebc6ae64 Mon Sep 17 00:00:00 2001 From: Gabor Abonyi Date: Fri, 4 Apr 2025 11:43:09 +0000 -Subject: [PATCH 01/25] psa-crypto: fix AEAD block cypher support +Subject: [PATCH] psa-crypto: fix AEAD block cypher support This change enables support for block cyphers that require input data to be processed in whole block-sized chunks. diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 703c07cb..092a2cb4 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -2,18 +2,18 @@ FILESEXTRAPATHS:prepend:corstone1000 := "${THISDIR}/corstone1000:" COMPATIBLE_MACHINE:corstone1000 = "corstone1000" SRC_URI:append:corstone1000 = " \ - file://0009-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch \ - file://0016-platform-corstone1000-Add-event-provider-proxy.patch \ - file://0017-platform-corstone1000-Define-GUID-for-each-payloads.patch \ - file://0013-Fix-PSA-FWU-IPC-psa_fwu_install-return-value-check.patch \ - file://0018-Add-the-com-buffer-address-and-page-count.patch \ - file://0014-fwu-Add-EFI-ESRT-v1-support.patch \ - file://0022-Make-treating-warnings-as-errors-configurable.patch \ - file://0003-Remove-Werror-flag.patch \ - file://0007-fwu-proxy-refactor-image-mapping.patch \ - file://0007-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch \ - file://0004-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch \ - file://0024-psa-crypto-fix-AEAD-block-cypher-support.patch \ + file://0001-platform-corstone1000-Add-CORSTONE_1000_TYPE-variabl.patch \ + file://0002-platform-corstone1000-Add-event-provider-proxy-for-b.patch \ + file://0003-fwu-se-proxy-Allow-platform-override-of-FWU-mapping-.patch \ + file://0004-fwu-Coerce-PSA_SUCCESS_REBOOT-and-PSA_SUCCESS_RESTAR.patch \ + file://0005-platform-corstone1000-Add-MM-communication-buffer-co.patch \ + file://0006-fwu-Add-support-for-ESRT-v1-in-PSA-FWU-M-agent.patch \ + file://0007-Make-treating-warnings-as-errors-configurable.patch \ + file://0008-smm-gateway-config-Remove-Werror-compile-option.patch \ + file://0009-fwu-proxy-refactor-image-mapping.patch \ + file://0010-Revert-Load-and-store-UEFI-variable-index-in-chunks.patch \ + file://0011-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch \ + file://0012-psa-crypto-fix-AEAD-block-cypher-support.patch \ " # The patches above introduce errors with GCC 14.1, silence them for now CFLAGS:append:corstone1000 = " -Wno-int-conversion -Wno-implicit-function-declaration"